Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af4fee2b authored by Dongwon Kang's avatar Dongwon Kang Committed by Android (Google) Code Review
Browse files

Merge changes I1744d71d,Id34dea17,I9ec41f8d 

* changes:
  Add more size checking for 'stts' box
  Add more size checking for 'stss' box
  Add size checking for 'saio' box
parents 771d7889 7ed7ae95

media/extractors/mp4/MPEG4Extractor.cpp

+19 −1
Original line number Original line Diff line number Diff line
@@ -5040,26 +5040,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( 
}

}





status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(

status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(

        off64_t offset, off64_t /* size */) {

        off64_t offset, off64_t size) {

    ALOGV("parseSampleAuxiliaryInformationOffsets");

    ALOGV("parseSampleAuxiliaryInformationOffsets");

    if (size < 8) {

        return -EINVAL;

    }

    // 14496-12 8.7.13

    // 14496-12 8.7.13

    uint8_t version;

    uint8_t version;

    if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) {

    if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) {

        return ERROR_IO;

        return ERROR_IO;

    }

    }

    offset++;

    offset++;

    size--;





    uint32_t flags;

    uint32_t flags;

    if (!mDataSource->getUInt24(offset, &flags)) {

    if (!mDataSource->getUInt24(offset, &flags)) {

        return ERROR_IO;

        return ERROR_IO;

    }

    }

    offset += 3;

    offset += 3;

    size -= 3;





    uint32_t entrycount;

    uint32_t entrycount;

    if (!mDataSource->getUInt32(offset, &entrycount)) {

    if (!mDataSource->getUInt32(offset, &entrycount)) {

        return ERROR_IO;

        return ERROR_IO;

    }

    }

    offset += 4;

    offset += 4;

    size -= 4;

    if (entrycount == 0) {

    if (entrycount == 0) {

        return OK;

        return OK;

    }

    }
@@ -5085,19 +5091,31 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( 




    for (size_t i = 0; i < entrycount; i++) {

    for (size_t i = 0; i < entrycount; i++) {

        if (version == 0) {

        if (version == 0) {

            if (size < 4) {

                ALOGW("b/124526959");

                android_errorWriteLog(0x534e4554, "124526959");

                return -EINVAL;

            }

            uint32_t tmp;

            uint32_t tmp;

            if (!mDataSource->getUInt32(offset, &tmp)) {

            if (!mDataSource->getUInt32(offset, &tmp)) {

                return ERROR_IO;

                return ERROR_IO;

            }

            }

            mCurrentSampleInfoOffsets[i] = tmp;

            mCurrentSampleInfoOffsets[i] = tmp;

            offset += 4;

            offset += 4;

            size -= 4;

        } else {

        } else {

            if (size < 8) {

                ALOGW("b/124526959");

                android_errorWriteLog(0x534e4554, "124526959");

                return -EINVAL;

            }

            uint64_t tmp;

            uint64_t tmp;

            if (!mDataSource->getUInt64(offset, &tmp)) {

            if (!mDataSource->getUInt64(offset, &tmp)) {

                return ERROR_IO;

                return ERROR_IO;

            }

            }

            mCurrentSampleInfoOffsets[i] = tmp;

            mCurrentSampleInfoOffsets[i] = tmp;

            offset += 8;

            offset += 8;

            size -= 8;

        }

        }

    }

    }

media/extractors/mp4/SampleTable.cpp

+7 −10
Original line number Original line Diff line number Diff line
@@ -391,20 +391,11 @@ status_t SampleTable::setTimeToSampleParams( 
    }

    }





    mTimeToSampleCount = U32_AT(&header[4]);

    mTimeToSampleCount = U32_AT(&header[4]);

    if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) {

    if (mTimeToSampleCount > (data_size - 8) / (2 * sizeof(uint32_t))) {

        // Choose this bound because

        // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one

        //    time-to-sample entry in the time-to-sample table.

        // 2) mTimeToSampleCount is the number of entries of the time-to-sample

        //    table.

        // 3) We hope that the table size does not exceed UINT32_MAX.

        ALOGE("Time-to-sample table size too large.");

        ALOGE("Time-to-sample table size too large.");

        return ERROR_OUT_OF_RANGE;

        return ERROR_OUT_OF_RANGE;

    }

    }





    // Note: At this point, we know that mTimeToSampleCount * 2 will not

    // overflow because of the above condition.



    uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t);

    uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t);

    mTotalSize += allocSize;

    mTotalSize += allocSize;

    if (mTotalSize > kMaxTotalSize) {

    if (mTotalSize > kMaxTotalSize) {
@@ -540,6 +531,12 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) 
    }

    }





    uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t);

    uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t);

    if (allocSize > data_size - 8) {

        ALOGW("b/124771364 - allocSize(%lu) > size(%lu)",

                (unsigned long)allocSize, (unsigned long)(data_size - 8));

        android_errorWriteLog(0x534e4554, "124771364");

        return ERROR_MALFORMED;

    }

    if (allocSize > kMaxTotalSize) {

    if (allocSize > kMaxTotalSize) {

        ALOGE("Sync sample table size too large.");

        ALOGE("Sync sample table size too large.");

        return ERROR_OUT_OF_RANGE;

        return ERROR_OUT_OF_RANGE;