File tree Expand file tree Collapse file tree 1 file changed +22
-3
lines changed
media/libstagefright/foundation Expand file tree Collapse file tree 1 file changed +22
-3
lines changed Original file line number Diff line number Diff line change @@ -453,13 +453,23 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
453453 sp<AMessage> msg = new AMessage (what);
454454
455455 msg->mNumItems = static_cast <size_t >(parcel.readInt32 ());
456+ if (msg->mNumItems > kMaxNumItems ) {
457+ ALOGE (" Too large number of items clipped."
458+ msg->mNumItems = kMaxNumItems ;
459+ }
456460
457461 for (size_t i = 0 ; i < msg->mNumItems ; ++i) {
458462 Item *item = &msg->mItems [i];
459463
460- item->mName = AAtomizer::Atomize (parcel.readCString ());
461- item->mType = static_cast <Type>(parcel.readInt32 ());
464+ const char *name = parcel.readCString ();
465+ if (name == NULL ) {
466+ ALOGE (" Failed reading name for an item. Parsing aborted."
467+ msg->mNumItems = i;
468+ break ;
469+ }
462470
471+ item->mName = AAtomizer::Atomize (name);
472+ item->mType = static_cast <Type>(parcel.readInt32 ());
463473 switch (item->mType ) {
464474 case kTypeInt32 :
465475 {
@@ -493,7 +503,16 @@ sp<AMessage> AMessage::FromParcel(const Parcel &parcel) {
493503
494504 case kTypeString :
495505 {
496- item->u .stringValue = new AString (parcel.readCString ());
506+ const char *stringValue = parcel.readCString ();
507+ if (stringValue == NULL ) {
508+ ALOGE (" Failed reading string value from a parcel. "
509+ " Parsing aborted."
510+ msg->mNumItems = i;
511+ continue ;
512+ // The loop will terminate subsequently.
513+ } else {
514+ item->u .stringValue = new AString (stringValue);
515+ }
497516 break ;
498517 }
499518
You can’t perform that action at this time.
0 commit comments