Check NAL size before use (c74c5299) · Commits · e / os / android_frameworks_av

media/libstagefright/MPEG4Extractor.cpp

+9 −2

Original line number	Diff line number	Diff line
		@@ -4214,7 +4214,10 @@ status_t MPEG4Source::read(
		(const uint8_t *)mBuffer->data() + mBuffer->range_offset();

		size_t nal_size = parseNALSize(src);
		if (mBuffer->range_length() < mNALLengthSize + nal_size) {
		if (mNALLengthSize > SIZE_MAX - nal_size) {
		ALOGE("b/24441553, b/24445122");
		}
		if (mBuffer->range_length() - mNALLengthSize < nal_size) {
		ALOGE("incomplete NAL unit.");

		mBuffer->release();
		@@ -4501,7 +4504,11 @@ status_t MPEG4Source::fragmentedRead(
		(const uint8_t *)mBuffer->data() + mBuffer->range_offset();

		size_t nal_size = parseNALSize(src);
		if (mBuffer->range_length() < mNALLengthSize + nal_size) {
		if (mNALLengthSize > SIZE_MAX - nal_size) {
		ALOGE("b/24441553, b/24445122");
		}

		if (mBuffer->range_length() - mNALLengthSize < nal_size) {
		ALOGE("incomplete NAL unit.");

		mBuffer->release();