From 59aed18ec46da339632f5b5f5a68279cecbbd4f7 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Tue, 4 Aug 2015 08:38:24 -0700 Subject: [PATCH] Extra sanity checks on sample size and resolution Instead of rejecting the samples later when they don't fit in the buffer, reject the entire file early. Bug: 22882938 Change-Id: I748153b0e9e827e3f2526468756295b4b5000de6 (cherry picked from commit beef7e58c1f1837bdaed6ac37414d8c48a133813) --- media/libstagefright/MPEG4Extractor.cpp | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 48640ee8a..be48afe8a 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1383,15 +1383,27 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { // each chunk originally prefixed with a 2 byte length will // have a 4 byte header (0x00 0x00 0x00 0x01) after conversion, // and thus will grow by 2 bytes per chunk. + if (max_size > SIZE_MAX - 10 * 2) { + ALOGE("max sample size too big: %zu", max_size); + return ERROR_MALFORMED; + } mLastTrack->meta->setInt32(kKeyMaxInputSize, max_size + 10 * 2); } else { // No size was specified. Pick a conservatively large size. - int32_t width, height; - if (!mLastTrack->meta->findInt32(kKeyWidth, &width) || - !mLastTrack->meta->findInt32(kKeyHeight, &height)) { + uint32_t width, height; + if (!mLastTrack->meta->findInt32(kKeyWidth, (int32_t*)&width) || + !mLastTrack->meta->findInt32(kKeyHeight,(int32_t*) &height)) { ALOGE("No width or height, assuming worst case 1080p"); width = 1920; height = 1080; + } else { + // A resolution was specified, check that it's not too big. The values below + // were chosen so that the calculations below don't cause overflows, they're + // not indicating that resolutions up to 32kx32k are actually supported. + if (width > 32768 || height > 32768) { + ALOGE("can't support %u x %u video", width, height); + return ERROR_MALFORMED; + } } const char *mime;