Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a26215a1 authored by Marco Nelissen's avatar Marco Nelissen Committed by Automerger Merge Worker
Browse files

Fix memory overflow in ESQueue am: 91fed774 am: 979ebeac am: 6f24da9b am: 8381c1ef 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/12794733

Change-Id: I49d48409ddb70facbf2bd95b40345669dca6e208
parents 8e4dd95f 8381c1ef

media/libstagefright/mpeg2ts/ESQueue.cpp

+7 −1
Original line number Diff line number Diff line
@@ -1423,7 +1423,13 @@ sp<ABuffer> ElementaryStreamQueue::dequeueAccessUnitH264() { 
                if (mSampleDecryptor != NULL && (nalType == 1 || nalType == 5)) {

                    uint8_t *nalData = mBuffer->data() + pos.nalOffset;

                    size_t newSize = mSampleDecryptor->processNal(nalData, pos.nalSize);

                    // Note: the data can shrink due to unescaping

                    // Note: the data can shrink due to unescaping, but it can never grow

                    if (newSize > pos.nalSize) {

                        // don't log unless verbose, since this can get called a lot if

                        // the caller is trying to resynchronize

                        ALOGV("expected sample size < %u, got %zu", pos.nalSize, newSize);

                        return NULL;

                    }

                    memcpy(accessUnit->data() + dstOffset + 4,

                            nalData,

                            newSize);