DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp

Also remove some CHECK's. Bug: 23680780 Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23 (cherry picked from commit 7bb772e0)

DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp
Also remove some CHECK's. Bug: 23680780 Change-Id: I62d0941e203e40209fa6fbe3f923f3efdc5a6c23 (cherry picked from commit 7bb772e0)
c38bb447 · Wei Jia · The Android Automerger · 7e354f50 · c38bb447
Commit c38bb447 authored 9 years ago by Wei Jia Committed by The Android Automerger 9 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 8 deletions

media/libstagefright/Utils.cpp media/libstagefright/Utils.cpp +28 -8

No files found.
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -196,8 +196,10 @@ status_t convertMetaDataToMessage(

        const uint8_t *ptr = (const uint8_t *)data;

-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 7 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
        uint8_t profile = ptr[1];
        uint8_t level = ptr[3];

@@ -223,7 +225,10 @@ status_t convertMetaDataToMessage(
        buffer->setRange(0, 0);

        for (size_t i = 0; i < numSeqParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
            size_t length = U16_AT(ptr);

            ptr += 2;
@@ -252,13 +257,19 @@ status_t convertMetaDataToMessage(
        }
        buffer->setRange(0, 0);

-        CHECK(size >= 1);
+        if (size < 1) {
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
        size_t numPictureParameterSets = *ptr;
        ++ptr;
        --size;

        for (size_t i = 0; i < numPictureParameterSets; ++i) {
-            CHECK(size >= 2);
+            if (size < 2) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
            size_t length = U16_AT(ptr);

            ptr += 2;
@@ -282,8 +293,10 @@ status_t convertMetaDataToMessage(
    } else if (meta->findData(kKeyHVCC, &type, &data, &size)) {
        const uint8_t *ptr = (const uint8_t *)data;

-        CHECK(size >= 7);
-        CHECK_EQ((unsigned)ptr[0], 1u);  // configurationVersion == 1
+        if (size < 23 || ptr[0] != 1) {  // configurationVersion == 1
+            ALOGE("b/23680780");
+            return BAD_VALUE;
+        }
        uint8_t profile = ptr[1] & 31;
        uint8_t level = ptr[12];
        ptr += 22;
@@ -302,6 +315,10 @@ status_t convertMetaDataToMessage(
        buffer->setRange(0, 0);

        for (i = 0; i < numofArrays; i++) {
+            if (size < 3) {
+                ALOGE("b/23680780");
+                return BAD_VALUE;
+            }
            ptr += 1;
            size -= 1;

@@ -312,7 +329,10 @@ status_t convertMetaDataToMessage(
            size -= 2;

            for (j = 0; j < numofNals; j++) {
-                CHECK(size >= 2);
+                if (size < 2) {
+                    ALOGE("b/23680780");
+                    return BAD_VALUE;
+                }
                size_t length = U16_AT(ptr);

                ptr += 2;