Bug 1181719 - p2: Check numBitsLeft before each getBits - r=rillian
authorGerald Squelart <gsquelart@mozilla.com>
Wed, 04 Nov 2015 23:42:00 +0100
changeset 271579 2801114b2b72e4f74f53848aea02de0ab39ad4e1
parent 271578 c590b18c5885040d6f2a6c711e9f1a8f87965ec1
child 271580 141a05a200420244bf618ad7d5618765a566b820
push id16135
push usercbook@mozilla.com
push dateMon, 09 Nov 2015 13:59:56 +0000
treeherderfx-team@5898d8162f44 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersrillian
bugs1181719
milestone45.0a1
Bug 1181719 - p2: Check numBitsLeft before each getBits - r=rillian
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -2624,48 +2624,69 @@ status_t MPEG4Extractor::updateAudioTrac
         return OK;
     }
 
     if (csd_size < 2) {
         return ERROR_MALFORMED;
     }
 
     ABitReader br(csd, csd_size);
+    if (br.numBitsLeft() < 5) {
+        return ERROR_MALFORMED;
+    }
     uint32_t objectType = br.getBits(5);
 
     if (objectType == 31) {  // AAC-ELD => additional 6 bits
+        if (br.numBitsLeft() < 6) {
+            return ERROR_MALFORMED;
+        }
         objectType = 32 + br.getBits(6);
     }
 
     if (objectType >= 1 && objectType <= 4) {
         if (!mLastTrack) {
           return ERROR_MALFORMED;
         }
         mLastTrack->meta->setInt32(kKeyAACProfile, objectType);
     }
 
+    if (br.numBitsLeft() < 4) {
+        return ERROR_MALFORMED;
+    }
     uint32_t freqIndex = br.getBits(4);
 
     int32_t sampleRate = 0;
     int32_t numChannels = 0;
     if (freqIndex == 15) {
         if (csd_size < 5) {
             return ERROR_MALFORMED;
         }
+        if (br.numBitsLeft() < 24 + 4) {
+            return ERROR_MALFORMED;
+        }
         sampleRate = br.getBits(24);
         numChannels = br.getBits(4);
     } else {
+        if (br.numBitsLeft() < 4) {
+            return ERROR_MALFORMED;
+        }
         numChannels = br.getBits(4);
         if (objectType == 5) {
             // SBR specific config per 14496-3 table 1.13
+            if (br.numBitsLeft() < 4) {
+                return ERROR_MALFORMED;
+            }
             freqIndex = br.getBits(4);
             if (freqIndex == 15) {
                 if (csd_size < 8) {
                     return ERROR_MALFORMED;
                 }
+                if (br.numBitsLeft() < 24) {
+                    return ERROR_MALFORMED;
+                }
                 sampleRate = br.getBits(24);
             }
         }
 
         if (sampleRate == 0) {
             static uint32_t kSamplingRate[] = {
                 96000, 88200, 64000, 48000, 44100, 32000, 24000, 22050,
                 16000, 12000, 11025, 8000, 7350