Google Git
Sign in
android / platform / frameworks / av / 9281881^! / .
commit9281881e9eb257ee3d29e7a8e1c157014fbf8172[log] [tgz]
authorMarco Nelissen <marcone@google.com>Thu Oct 06 15:31:52 2016 -0700
committergitbuildkicker <android-build@google.com>Thu Oct 27 11:45:45 2016 -0700
tree20392e9ef5a05013321a1d52a9daf16e9bbe51ff
parent2552ca970b144a8d57defb8304885e9b62f80903 [diff]
Fix divide by zero

and be stricter about the layout of various boxes in mp4 files.

Bug: 31318219
Change-Id: I50034d5b6b1967ca6e88aabeacf49f26ba3c0d32
(cherry picked from commit 0d13824315b0491d44e9c6eb5db06489ab0fcc20)

diff --git a/media/libmedia/IMediaExtractor.cpp b/media/libmedia/IMediaExtractor.cpp
index e8ad75b..72d1d7c 100644
--- a/media/libmedia/IMediaExtractor.cpp
+++ b/media/libmedia/IMediaExtractor.cpp

@@ -160,6 +160,9 @@
             if (data.readUint32(&idx) == NO_ERROR &&
                     data.readUint32(&flags) == NO_ERROR) {
                 sp<MetaData> meta = getTrackMetaData(idx, flags);
+                if (meta == NULL) {
+                    return UNKNOWN_ERROR;
+                }
                 meta->writeToParcel(*reply);
                 return NO_ERROR;
             }

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 76db3fb..0f4e29a 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -476,7 +476,8 @@
             } else {
                 uint32_t sampleIndex;
                 uint32_t sampleTime;
-                if (track->sampleTable->findThumbnailSample(&sampleIndex) == OK
+                if (track->timescale != 0 &&
+                        track->sampleTable->findThumbnailSample(&sampleIndex) == OK
                         && track->sampleTable->getMetaDataForSample(
                             sampleIndex, NULL /* offset */, NULL /* size */,
                             &sampleTime) == OK) {
@@ -925,6 +926,10 @@
         case FOURCC('s', 'c', 'h', 'i'):
         case FOURCC('e', 'd', 't', 's'):
         {
+            if (chunk_type == FOURCC('m', 'o', 'o', 'v') && depth != 0) {
+                ALOGE("moov: depth %d", depth);
+                return ERROR_MALFORMED;
+            }
             if (chunk_type == FOURCC('m', 'o', 'o', 'f') && !mMoofFound) {
                 // store the offset of the first segment
                 mMoofFound = true;
@@ -953,6 +958,10 @@
 
             bool isTrack = false;
             if (chunk_type == FOURCC('t', 'r', 'a', 'k')) {
+                if (depth != 1) {
+                    ALOGE("trak: depth %d", depth);
+                    return ERROR_MALFORMED;
+                }
                 isTrack = true;
 
                 Track *track = new Track;
@@ -976,6 +985,10 @@
             while (*offset < stop_offset) {
                 status_t err = parseChunk(offset, depth + 1);
                 if (err != OK) {
+                    if (isTrack) {
+                        mLastTrack->skipTrack = true;
+                        break;
+                    }
                     return err;
                 }
             }
@@ -1321,10 +1334,6 @@
 
         case FOURCC('s', 't', 's', 'd'):
         {
-            if (chunk_data_size < 8) {
-                return ERROR_MALFORMED;
-            }
-
             uint8_t buffer[8];
             if (chunk_data_size < (off64_t)sizeof(buffer)) {
                 return ERROR_MALFORMED;
@@ -1950,6 +1959,10 @@
         {
             *offset += chunk_size;
 
+            if (depth != 1) {
+                ALOGE("mvhd: depth %d", depth);
+                return ERROR_MALFORMED;
+            }
             if (chunk_data_size < 32) {
                 return ERROR_MALFORMED;
             }