Google Git
Sign in
android / platform / frameworks / av / 1bdedbb25e78a027d72ff8e997a1686495a27520^! / .
commit1bdedbb25e78a027d72ff8e997a1686495a27520[log] [tgz]
authorToni Heidenreich <tonihei@google.com>Mon Oct 17 16:57:53 2022 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Thu Dec 08 04:02:42 2022 +0000
tree01e2789718f1f6a9458dbae32d2bca458536dee2
parentbae3b00a5873d1562679a1289fd8490178cfe064 [diff]
Fix Out of Bounds Read in AAVCAssembler

Fixed Out of Bounds Read in dropFramesUntilIframe Function in
AAVCAssembler.
Added missing bound checks in pickStartSeq function of AHEVCAssembler.

Manual cherry-pick of pa/2300853.

Bug: 230630526

Change-Id: Ia9d0b172d0d09e3bf80a3b4bfc5d1125ac00264d
Test: Manual, See bug for repro steps.
(cherry picked from commit fa29e9f0320f29448f8481e4b50de7ac65297558)
Merged-In: Ia9d0b172d0d09e3bf80a3b4bfc5d1125ac00264d
(cherry picked from commit 3066b1410d87cc8f320cf8dd7eb7705172773919)
Merged-In: Ia9d0b172d0d09e3bf80a3b4bfc5d1125ac00264d

diff --git a/media/libstagefright/rtsp/AAVCAssembler.cpp b/media/libstagefright/rtsp/AAVCAssembler.cpp
index ddf797c..88f7be7 100644
--- a/media/libstagefright/rtsp/AAVCAssembler.cpp
+++ b/media/libstagefright/rtsp/AAVCAssembler.cpp

@@ -332,6 +332,11 @@
 }
 
 bool AAVCAssembler::dropFramesUntilIframe(const sp<ABuffer> &buffer) {
+    if (buffer->size() == 0) {
+        ALOGE("b/230630526 buffer->size() == 0");
+        android_errorWriteLog(0x534e4554, "230630526");
+        return false;
+    }
     const uint8_t *data = buffer->data();
     unsigned nalType = data[0] & 0x1f;
     if (!mFirstIFrameProvided && nalType < 0x5) {
@@ -624,8 +629,7 @@
     int32_t firstSeqNo = buffer->int32Data();
 
     // This only works for FU-A type & non-start sequence
-    int32_t nalType = buffer->size() >= 1 ? buffer->data()[0] & 0x1f : -1;
-    if (nalType != 28 || (buffer->size() >= 2 && buffer->data()[1] & 0x80)) {
+    if (buffer->size() < 2 || (buffer->data()[0] & 0x1f) != 28 || buffer->data()[1] & 0x80) {
         return firstSeqNo;
     }
 

diff --git a/media/libstagefright/rtsp/AHEVCAssembler.cpp b/media/libstagefright/rtsp/AHEVCAssembler.cpp
index bb42d1f..72dd981 100644
--- a/media/libstagefright/rtsp/AHEVCAssembler.cpp
+++ b/media/libstagefright/rtsp/AHEVCAssembler.cpp

@@ -629,13 +629,13 @@
 
 int32_t AHEVCAssembler::pickStartSeq(const Queue *queue,
         uint32_t first, int64_t play, int64_t jit) {
+    CHECK(!queue->empty());
     // pick the first sequence number has the start bit.
     sp<ABuffer> buffer = *(queue->begin());
     int32_t firstSeqNo = buffer->int32Data();
 
     // This only works for FU-A type & non-start sequence
-    unsigned nalType = buffer->data()[0] & 0x1f;
-    if (nalType != 28 || buffer->data()[2] & 0x80) {
+    if (buffer->size() < 3 || (buffer->data()[0] & 0x1f) != 28 || buffer->data()[2] & 0x80) {
         return firstSeqNo;
     }
 
@@ -645,7 +645,7 @@
         if (rtpTime + jit >= play) {
             break;
         }
-        if ((data[2] & 0x80)) {
+        if (it->size() >= 3 && (data[2] & 0x80)) {
             const int32_t seqNo = it->int32Data();
             ALOGE("finding [HEAD] pkt. \t Seq# (%d ~ )[%d", firstSeqNo, seqNo);
             firstSeqNo = seqNo;