Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f98c4b76 authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)
Browse files

[automerger] NuPlayerCCDecoder: fix memory OOB am: 0f7ff707 am: db59f63f am: e612be07 

Change-Id: Ibb7a42e6291bb12ca85c0ebc15c2b6dc9052ad2e
parents 0f33fc35 e612be07

media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp

+24 −2
Original line number Diff line number Diff line
@@ -308,6 +308,11 @@ bool NuPlayer::CCDecoder::extractFromMPEGUserData(const sp<ABuffer> &accessUnit) 
    const size_t *userData = (size_t *)mpegUserData->data();



    for (size_t i = 0; i < mpegUserData->size() / sizeof(size_t); ++i) {

        if (accessUnit->size() < userData[i]) {

            ALOGW("b/129068792, skip invalid offset for user data");

            android_errorWriteLog(0x534e4554, "129068792");

            continue;

        }

        trackAdded |= parseMPEGUserDataUnit(

                timeUs, accessUnit->data() + userData[i], accessUnit->size() - userData[i]);

    }
@@ -317,6 +322,12 @@ bool NuPlayer::CCDecoder::extractFromMPEGUserData(const sp<ABuffer> &accessUnit) 


// returns true if a new CC track is found

bool NuPlayer::CCDecoder::parseMPEGUserDataUnit(int64_t timeUs, const uint8_t *data, size_t size) {

    if (size < 9) {

        ALOGW("b/129068792, MPEG user data size too small %zu", size);

        android_errorWriteLog(0x534e4554, "129068792");

        return false;

    }



    ABitReader br(data + 4, 5);



    uint32_t user_identifier = br.getBits(32);
@@ -369,8 +380,14 @@ bool NuPlayer::CCDecoder::parseMPEGCCData(int64_t timeUs, const uint8_t *data, s 
                mDTVCCPacket->setRange(0, mDTVCCPacket->size() + 2);

                br.skipBits(16);

            } else if (mDTVCCPacket->size() > 0 && cc_type == 2) {

                if (mDTVCCPacket->capacity() - mDTVCCPacket->size() >= 2) {

                    memcpy(mDTVCCPacket->data() + mDTVCCPacket->size(), br.data(), 2);

                    mDTVCCPacket->setRange(0, mDTVCCPacket->size() + 2);

                } else {

                    ALOGW("b/129068792, skip CC due to too much data(%zu, %zu)",

                          mDTVCCPacket->capacity(), mDTVCCPacket->size());

                    android_errorWriteLog(0x534e4554, "129068792");

                }

                br.skipBits(16);

            } else if (cc_type == 0 || cc_type == 1) {

                uint8_t cc_data_1 = br.getBits(8) & 0x7f;
@@ -457,6 +474,11 @@ bool NuPlayer::CCDecoder::parseDTVCCPacket(int64_t timeUs, const uint8_t *data, 
            size_t trackIndex = getTrackIndex(kTrackTypeCEA708, service_number, &trackAdded);

            if (mSelectedTrack == (ssize_t)trackIndex) {

                sp<ABuffer> ccPacket = new ABuffer(block_size);

                if (ccPacket->capacity() == 0) {

                    ALOGW("b/129068792, no memory available, %zu", block_size);

                    android_errorWriteLog(0x534e4554, "129068792");

                    return false;

                }

                memcpy(ccPacket->data(), br.data(), block_size);

                mCCMap.add(timeUs, ccPacket);

            }