Merge "Fix webp iterator indexing for frame timing" am: bdaaa4e7a8 am: 7efa206ba9 Change-Id: Ib1028553d292b049ef522ffbb0011ec4e42e9e8d

commit: 0b33dbff239b2ed7c6f5472151b9255012d478f4 [log] [tgz]
author: Chris Craik <ccraik@google.com> Thu Jan 12 02:01:46 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Thu Jan 12 02:01:46 2017 +0000
tree: c91922ef12162d505cf8ab8017b5bdd149e7a882
parent: 2bc9b9939403a9d430744ad48c85d38847ad3000 [diff]
parent: 7efa206ba93b8597ffdd28ef5d8187f7f1ccc3de [diff]
diff --git a/framesequence/jni/FrameSequence_gif.cpp b/framesequence/jni/FrameSequence_gif.cpp
index 4722378..5118319 100644
--- a/framesequence/jni/FrameSequence_gif.cpp
+++ b/framesequence/jni/FrameSequence_gif.cpp

@@ -148,7 +148,7 @@
 static void copyLine(Color8888* dst, const unsigned char* src, const ColorMapObject* cmap,
                      int transparent, int width) {
     for (; width > 0; width--, src++, dst++) {
-        if (*src != transparent) {
+        if (*src != transparent && *src < cmap->ColorCount) {
             *dst = gifColorToColor8888(cmap->Colors[*src]);
         }
     }

diff --git a/framesequence/jni/FrameSequence_webp.cpp b/framesequence/jni/FrameSequence_webp.cpp
index 41fae2b..18568da 100644
--- a/framesequence/jni/FrameSequence_webp.cpp
+++ b/framesequence/jni/FrameSequence_webp.cpp

@@ -84,7 +84,10 @@
 #endif
 }
 
-FrameSequence_webp::FrameSequence_webp(Stream* stream) {
+FrameSequence_webp::FrameSequence_webp(Stream* stream)
+        : mDemux(NULL)
+        , mIsKeyFrame(NULL)
+        , mRawByteBuffer(NULL) {
     if (stream->getRawBuffer() != NULL) {
         mData.size = stream->getRawBufferSize();
         mData.bytes = stream->getRawBufferAddr();
@@ -96,7 +99,12 @@
             ALOGE("WebP header load failed");
             return;
         }
-        mData.size = CHUNK_HEADER_SIZE + GetLE32(riff_header + TAG_SIZE);
+        uint32_t readSize = GetLE32(riff_header + TAG_SIZE);
+        if (readSize > MAX_CHUNK_PAYLOAD) {
+            ALOGE("WebP got header size too large");
+            return;
+        }
+        mData.size = CHUNK_HEADER_SIZE + readSize;
         mData.bytes = new uint8_t[mData.size];
         memcpy((void*)mData.bytes, riff_header, RIFF_HEADER_SIZE);
 

diff --git a/framesequence/jni/FrameSequence_webp.h b/framesequence/jni/FrameSequence_webp.h
index c43c1e7..148146f 100644
--- a/framesequence/jni/FrameSequence_webp.h
+++ b/framesequence/jni/FrameSequence_webp.h

@@ -32,10 +32,16 @@
     virtual ~FrameSequence_webp();
 
     virtual int getWidth() const {
+        if (!mDemux) {
+            return 0;
+        }
         return WebPDemuxGetI(mDemux, WEBP_FF_CANVAS_WIDTH);
     }
 
     virtual int getHeight() const {
+        if (!mDemux) {
+            return 0;
+        }
         return WebPDemuxGetI(mDemux, WEBP_FF_CANVAS_HEIGHT);
     }
 
@@ -44,6 +50,9 @@
     }
 
     virtual int getFrameCount() const {
+        if (!mDemux) {
+            return 0;
+        }
         return WebPDemuxGetI(mDemux, WEBP_FF_FRAME_COUNT);
     }
commit	0b33dbff239b2ed7c6f5472151b9255012d478f4	[log] [tgz]
author	Chris Craik <ccraik@google.com>	Thu Jan 12 02:01:46 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Thu Jan 12 02:01:46 2017 +0000
tree	c91922ef12162d505cf8ab8017b5bdd149e7a882
parent	2bc9b9939403a9d430744ad48c85d38847ad3000 [diff]
parent	7efa206ba93b8597ffdd28ef5d8187f7f1ccc3de [diff]