Bug 1128939: Part2. Make sure we limit read to buffer size and handle error nicely. r=k17e
authorJean-Yves Avenard <jyavenard@mozilla.com>
Thu, 12 Feb 2015 18:52:12 +1100
changeset 246301 21a1b1631c1b7bf60515a71f4b416dc8e0b66773
parent 246300 c8356c3884b2d254b9939827b6771d21141d86d4
child 246302 dccaeb191e5f9979a4cb74fa24cd100782930131
push id7677
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 18:11:24 +0000
treeherdermozilla-aurora@f531d838c055 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersk17e
bugs1128939
milestone38.0a1
Bug 1128939: Part2. Make sure we limit read to buffer size and handle error nicely. r=k17e
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -3492,17 +3492,24 @@ status_t MPEG4Source::read(
             mBuffer = NULL;
 
             return OK;
         }
 
         // Each NAL unit is split up into its constituent fragments and
         // each one of them returned in its own buffer.
 
-        CHECK(mBuffer->range_length() >= mNALLengthSize);
+        if (mBuffer->range_length() < mNALLengthSize) {
+            ALOGE("incomplete NAL unit.");
+
+            mBuffer->release();
+            mBuffer = NULL;
+
+            return ERROR_MALFORMED;
+        }
 
         const uint8_t *src =
             (const uint8_t *)mBuffer->data() + mBuffer->range_offset();
 
         size_t nal_size = parseNALSize(src);
         if (mBuffer->range_length() < mNALLengthSize + nal_size) {
             ALOGE("incomplete NAL unit.");
 
@@ -3854,17 +3861,24 @@ status_t MPEG4Source::fragmentedRead(
             mBuffer = NULL;
 
             return OK;
         }
 
         // Each NAL unit is split up into its constituent fragments and
         // each one of them returned in its own buffer.
 
-        CHECK(mBuffer->range_length() >= mNALLengthSize);
+        if (mBuffer->range_length() < mNALLengthSize) {
+            ALOGE("incomplete NAL unit.");
+
+            mBuffer->release();
+            mBuffer = NULL;
+
+            return ERROR_MALFORMED;
+        }
 
         const uint8_t *src =
             (const uint8_t *)mBuffer->data() + mBuffer->range_offset();
 
         size_t nal_size = parseNALSize(src);
         if (mBuffer->range_length() < mNALLengthSize + nal_size) {
             ALOGE("incomplete NAL unit.");