Handle size correctly from webp header
bug:32338390
Change-Id: I8d79692c72fdc3b0cba5342179b0f30a21bae094
diff --git a/framesequence/jni/FrameSequence_webp.cpp b/framesequence/jni/FrameSequence_webp.cpp
index 602feb7..7ffb350 100644
--- a/framesequence/jni/FrameSequence_webp.cpp
+++ b/framesequence/jni/FrameSequence_webp.cpp
@@ -84,14 +84,21 @@
#endif
}
-FrameSequence_webp::FrameSequence_webp(Stream* stream) {
+FrameSequence_webp::FrameSequence_webp(Stream* stream)
+ : mDemux(NULL)
+ , mIsKeyFrame(NULL) {
// Read RIFF header to get file size.
uint8_t riff_header[RIFF_HEADER_SIZE];
if (stream->read(riff_header, RIFF_HEADER_SIZE) != RIFF_HEADER_SIZE) {
ALOGE("WebP header load failed");
return;
}
- mData.size = CHUNK_HEADER_SIZE + GetLE32(riff_header + TAG_SIZE);
+ uint32_t readSize = GetLE32(riff_header + TAG_SIZE);
+ if (readSize > MAX_CHUNK_PAYLOAD) {
+ ALOGE("WebP got header size too large");
+ return;
+ }
+ mData.size = CHUNK_HEADER_SIZE + readSize;
mData.bytes = new uint8_t[mData.size];
memcpy((void*)mData.bytes, riff_header, RIFF_HEADER_SIZE);
diff --git a/framesequence/jni/FrameSequence_webp.h b/framesequence/jni/FrameSequence_webp.h
index f4fbec0..111101b 100644
--- a/framesequence/jni/FrameSequence_webp.h
+++ b/framesequence/jni/FrameSequence_webp.h
@@ -32,10 +32,16 @@
virtual ~FrameSequence_webp();
virtual int getWidth() const {
+ if (!mDemux) {
+ return 0;
+ }
return WebPDemuxGetI(mDemux, WEBP_FF_CANVAS_WIDTH);
}
virtual int getHeight() const {
+ if (!mDemux) {
+ return 0;
+ }
return WebPDemuxGetI(mDemux, WEBP_FF_CANVAS_HEIGHT);
}
@@ -44,6 +50,9 @@
}
virtual int getFrameCount() const {
+ if (!mDemux) {
+ return 0;
+ }
return WebPDemuxGetI(mDemux, WEBP_FF_FRAME_COUNT);
}
