Fix divide by zero

and be stricter about the layout of various boxes in mp4 files. Bug: 31318219 Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32

Fix divide by zero
and be stricter about the layout of various boxes in mp4 files. Bug: 31318219 Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32
12416c41 · Marco Nelissen · 25a681e6 · 12416c41
Commit 12416c41 authored 8 years ago by Marco Nelissen
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 4 deletions

media/libstagefright/MPEG4Extractor.cpp media/libstagefright/MPEG4Extractor.cpp +18 -4

No files found.
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -468,7 +468,8 @@ sp<MetaData> MPEG4Extractor::getTrackMetaData(
            } else {
                uint32_t sampleIndex;
                uint32_t sampleTime;
-                if (track->sampleTable->findThumbnailSample(&sampleIndex) == OK
+                if (track->timescale != 0 &&
+                        track->sampleTable->findThumbnailSample(&sampleIndex) == OK
                        && track->sampleTable->getMetaDataForSample(
                            sampleIndex, NULL /* offset */, NULL /* size */,
                            &sampleTime) == OK) {
@@ -885,6 +886,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
        case FOURCC('s', 'c', 'h', 'i'):
        case FOURCC('e', 'd', 't', 's'):
        {
+            if (chunk_type == FOURCC('m', 'o', 'o', 'v') && depth != 0) {
+                ALOGE("moov: depth %d", depth);
+                return ERROR_MALFORMED;
+            }
            if (chunk_type == FOURCC('s', 't', 'b', 'l')) {
                ALOGV("sampleTable chunk is %" PRIu64 " bytes long.", chunk_size);

@@ -907,6 +912,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {

            bool isTrack = false;
            if (chunk_type == FOURCC('t', 'r', 'a', 'k')) {
+                if (depth != 1) {
+                    ALOGE("trak: depth %d", depth);
+                    return ERROR_MALFORMED;
+                }
                isTrack = true;

                Track *track = new Track;
@@ -930,6 +939,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
            while (*offset < stop_offset) {
                status_t err = parseChunk(offset, depth + 1);
                if (err != OK) {
+                    if (isTrack) {
+                        mLastTrack->skipTrack = true;
+                        break;
+                    }
                    return err;
                }
            }
@@ -1277,9 +1290,6 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
            if (mLastTrack == NULL) {
                return ERROR_MALFORMED;
            }
-            if (chunk_data_size < 8) {
-                return ERROR_MALFORMED;
-            }

            uint8_t buffer[8];
            if (chunk_data_size < (off64_t)sizeof(buffer)) {
@@ -1838,6 +1848,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
        {
            *offset += chunk_size;

+            if (depth != 1) {
+                ALOGE("mvhd: depth %d", depth);
+                return ERROR_MALFORMED;
+            }
            if (chunk_data_size < 32) {
                return ERROR_MALFORMED;
            }