API tools faq
paste
Advertisement
GChmurka

stagefright fix pure AOSP 4.4.4

GChmurka
Aug 11th, 2015
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.89 KB | None | 0 0
raw download clone embed print report
  1. --- media/libstagefright/MPEG4Extractor.cpp.orig 2015-08-07 18:45:05.660506138 +0200
  2. +++ media/libstagefright/MPEG4Extractor.cpp 2015-08-10 07:05:39.057882612 +0200
  3. @@ -834,6 +834,9 @@
  4. }
  5. }
  6.  
  7. + if (!mLastTrack)
  8. + return ERROR_MALFORMED;
  9. +
  10. mLastTrack->sampleTable = new SampleTable(mDataSource);
  11. }
  12.  
  13. @@ -982,6 +985,10 @@
  14. }
  15. original_fourcc = ntohl(original_fourcc);
  16. ALOGV("read original format: %d", original_fourcc);
  17. +
  18. + if (!mLastTrack)
  19. + return ERROR_MALFORMED;
  20. +
  21. mLastTrack->meta->setCString(kKeyMIMEType, FourCC2MIME(original_fourcc));
  22. uint32_t num_channels = 0;
  23. uint32_t sample_rate = 0;
  24. @@ -1036,6 +1043,9 @@
  25. return ERROR_IO;
  26. }
  27.  
  28. + if (!mLastTrack)
  29. + return ERROR_MALFORMED;
  30. +
  31. mLastTrack->meta->setInt32(kKeyCryptoMode, defaultAlgorithmId);
  32. mLastTrack->meta->setInt32(kKeyCryptoDefaultIVSize, defaultIVSize);
  33. mLastTrack->meta->setData(kKeyCryptoKey, 'tenc', defaultKeyId, 16);
  34. @@ -1137,8 +1147,10 @@
  35. duration = ntohl(duration32);
  36. }
  37. }
  38. - mLastTrack->meta->setInt64(
  39. + if (duration != 0 && mLastTrack->timescale != 0) {
  40. + mLastTrack->meta->setInt64(
  41. kKeyDuration, (duration * 1000000) / mLastTrack->timescale);
  42. + }
  43.  
  44. uint8_t lang[2];
  45. off64_t lang_offset;
  46. @@ -1200,6 +1212,10 @@
  47. // display the timed text.
  48. // For encrypted files, there may also be more than one entry.
  49. const char *mime;
  50. +
  51. + if (!mLastTrack)
  52. + return ERROR_MALFORMED;
  53. +
  54. CHECK(mLastTrack->meta->findCString(kKeyMIMEType, &mime));
  55. if (strcasecmp(mime, MEDIA_MIMETYPE_TEXT_3GPP) &&
  56. strcasecmp(mime, "application/octet-stream")) {
  57. @@ -1246,6 +1262,9 @@
  58. uint16_t sample_size = U16_AT(&buffer[18]);
  59. uint32_t sample_rate = U32_AT(&buffer[24]) >> 16;
  60.  
  61. + if (!mLastTrack)
  62. + return ERROR_MALFORMED;
  63. +
  64. if (chunk_type != FOURCC('e', 'n', 'c', 'a')) {
  65. // if the chunk type is enca, we'll get the type from the sinf/frma box later
  66. mLastTrack->meta->setCString(kKeyMIMEType, FourCC2MIME(chunk_type));
  67. @@ -1305,6 +1324,9 @@
  68. // printf("*** coding='%s' width=%d height=%d\n",
  69. // chunk, width, height);
  70.  
  71. + if (!mLastTrack)
  72. + return ERROR_MALFORMED;
  73. +
  74. if (chunk_type != FOURCC('e', 'n', 'c', 'v')) {
  75. // if the chunk type is encv, we'll get the type from the sinf/frma box later
  76. mLastTrack->meta->setCString(kKeyMIMEType, FourCC2MIME(chunk_type));
  77. @@ -1330,6 +1352,9 @@
  78. case FOURCC('s', 't', 'c', 'o'):
  79. case FOURCC('c', 'o', '6', '4'):
  80. {
  81. + if (!mLastTrack || !mLastTrack->sampleTable.get())
  82. + return ERROR_MALFORMED;
  83. +
  84. status_t err =
  85. mLastTrack->sampleTable->setChunkOffsetParams(
  86. chunk_type, data_offset, chunk_data_size);
  87. @@ -1344,6 +1369,9 @@
  88.  
  89. case FOURCC('s', 't', 's', 'c'):
  90. {
  91. + if (!mLastTrack || !mLastTrack->sampleTable.get())
  92. + return ERROR_MALFORMED;
  93. +
  94. status_t err =
  95. mLastTrack->sampleTable->setSampleToChunkParams(
  96. data_offset, chunk_data_size);
  97. @@ -1359,6 +1387,9 @@
  98. case FOURCC('s', 't', 's', 'z'):
  99. case FOURCC('s', 't', 'z', '2'):
  100. {
  101. + if (!mLastTrack || !mLastTrack->sampleTable.get())
  102. + return ERROR_MALFORMED;
  103. +
  104. status_t err =
  105. mLastTrack->sampleTable->setSampleSizeParams(
  106. chunk_type, data_offset, chunk_data_size);
  107. @@ -1441,6 +1472,9 @@
  108.  
  109. case FOURCC('c', 't', 't', 's'):
  110. {
  111. + if (!mLastTrack || !mLastTrack->sampleTable.get())
  112. + return ERROR_MALFORMED;
  113. +
  114. status_t err =
  115. mLastTrack->sampleTable->setCompositionTimeToSampleParams(
  116. data_offset, chunk_data_size);
  117. @@ -1455,6 +1489,9 @@
  118.  
  119. case FOURCC('s', 't', 's', 's'):
  120. {
  121. + if (!mLastTrack || !mLastTrack->sampleTable.get())
  122. + return ERROR_MALFORMED;
  123. +
  124. status_t err =
  125. mLastTrack->sampleTable->setSyncSampleParams(
  126. data_offset, chunk_data_size);
  127. @@ -1523,6 +1560,9 @@
  128. return ERROR_MALFORMED;
  129. }
  130.  
  131. + if (!mLastTrack)
  132. + return ERROR_MALFORMED;
  133. +
  134. mLastTrack->meta->setData(
  135. kKeyESDS, kTypeESDS, &buffer[4], chunk_data_size - 4);
  136.  
  137. @@ -1554,6 +1594,9 @@
  138. return ERROR_IO;
  139. }
  140.  
  141. + if (!mLastTrack)
  142. + return ERROR_MALFORMED;
  143. +
  144. mLastTrack->meta->setData(
  145. kKeyAVCC, kTypeAVCC, buffer->data(), chunk_data_size);
  146.  
  147. @@ -1586,6 +1629,9 @@
  148. return ERROR_IO;
  149. }
  150.  
  151. + if (!mLastTrack)
  152. + return ERROR_MALFORMED;
  153. +
  154. mLastTrack->meta->setData(kKeyD263, kTypeD263, buffer, chunk_data_size);
  155.  
  156. *offset += chunk_size;
  157. @@ -1702,6 +1748,10 @@
  158. return ERROR_IO;
  159. }
  160.  
  161. + if (!mLastTrack)
  162. + return ERROR_MALFORMED;
  163. +
  164. +
  165. uint32_t type = ntohl(buffer);
  166. // For the 3GPP file format, the handler-type within the 'hdlr' box
  167. // shall be 'text'. We also want to support 'sbtl' handler type
  168. @@ -1716,6 +1766,9 @@
  169.  
  170. case FOURCC('t', 'x', '3', 'g'):
  171. {
  172. + if (!mLastTrack)
  173. + return ERROR_MALFORMED;
  174. +
  175. uint32_t type;
  176. const void *data;
  177. size_t size = 0;
  178. @@ -1738,6 +1791,9 @@
  179. return ERROR_IO;
  180. }
  181.  
  182. + if (!mLastTrack)
  183. + return ERROR_MALFORMED;
  184. +
  185. mLastTrack->meta->setData(
  186. kKeyTextFormatData, 0, buffer, size + chunk_size);
  187.  
  188. @@ -1752,12 +1808,17 @@
  189. if (mFileMetaData != NULL) {
  190. ALOGV("chunk_data_size = %lld and data_offset = %lld",
  191. chunk_data_size, data_offset);
  192. +
  193. + if (chunk_data_size >= SIZE_MAX - 1)
  194. + return ERROR_MALFORMED;
  195. sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
  196. if (mDataSource->readAt(
  197. data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
  198. return ERROR_IO;
  199. }
  200. const int kSkipBytesOfDataBox = 16;
  201. + if (chunk_data_size <= kSkipBytesOfDataBox)
  202. + return ERROR_MALFORMED;
  203. mFileMetaData->setData(
  204. kKeyAlbumArt, MetaData::TYPE_NONE,
  205. buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
  206. @@ -1785,6 +1846,9 @@
  207.  
  208. default:
  209. {
  210. + if (!mLastTrack || !mLastTrack->sampleTable.get())
  211. + return ERROR_MALFORMED;
  212. +
  213. *offset += chunk_size;
  214. break;
  215. }
  216. @@ -1819,6 +1883,8 @@
  217. if (!mDataSource->getUInt32(offset + 8, &timeScale)) {
  218. return ERROR_MALFORMED;
  219. }
  220. + if (timeScale < 1)
  221. + return ERROR_MALFORMED;
  222. ALOGV("sidx refid/timescale: %d/%d", referenceId, timeScale);
  223.  
  224. uint64_t earliestPresentationTime;
  225. @@ -1903,6 +1969,9 @@
  226. mSidxDuration = total_duration * 1000000 / timeScale;
  227. ALOGV("duration: %lld", mSidxDuration);
  228.  
  229. + if (!mLastTrack)
  230. + return ERROR_MALFORMED;
  231. +
  232. int64_t metaDuration;
  233. if (!mLastTrack->meta->findInt64(kKeyDuration, &metaDuration) || metaDuration == 0) {
  234. mLastTrack->meta->setInt64(kKeyDuration, mSidxDuration);
  235. @@ -1953,6 +2022,9 @@
  236. return ERROR_UNSUPPORTED;
  237. }
  238.  
  239. + if (!mLastTrack)
  240. + return ERROR_MALFORMED;
  241. +
  242. mLastTrack->meta->setInt32(kKeyTrackID, id);
  243.  
  244. size_t matrixOffset = dynSize + 16;
  245. @@ -2131,6 +2203,9 @@
  246. int32_t delay, padding;
  247. if (sscanf(mLastCommentData,
  248. " %*x %x %x %*x", &delay, &padding) == 2) {
  249. + if (!mLastTrack)
  250. + return ERROR_MALFORMED;
  251. +
  252. mLastTrack->meta->setInt32(kKeyEncoderDelay, delay);
  253. mLastTrack->meta->setInt32(kKeyEncoderPadding, padding);
  254. }
  255. @@ -2255,6 +2330,9 @@
  256.  
  257. if (objectTypeIndication == 0xe1) {
  258. // This isn't MPEG4 audio at all, it's QCELP 14k...
  259. + if (!mLastTrack)
  260. + return ERROR_MALFORMED;
  261. +
  262. mLastTrack->meta->setCString(kKeyMIMEType, MEDIA_MIMETYPE_AUDIO_QCELP);
  263. return OK;
  264. }
  265. @@ -2303,6 +2381,9 @@
  266. objectType = 32 + br.getBits(6);
  267. }
  268.  
  269. + if (!mLastTrack)
  270. + return ERROR_MALFORMED;
  271. +
  272. //keep AOT type
  273. mLastTrack->meta->setInt32(kKeyAACAOT, objectType);
  274.  
  275. @@ -2348,6 +2429,9 @@
  276. return ERROR_UNSUPPORTED;
  277. }
  278.  
  279. + if (!mLastTrack)
  280. + return ERROR_MALFORMED;
  281. +
  282. int32_t prevSampleRate;
  283. CHECK(mLastTrack->meta->findInt32(kKeySampleRate, &prevSampleRate));
  284.  
  285. --- media/libstagefright/SampleTable.cpp.orig 2015-08-07 18:45:05.664506138 +0200
  286. +++ media/libstagefright/SampleTable.cpp 2015-08-10 06:54:36.517866214 +0200
  287. @@ -230,8 +230,13 @@
  288. return ERROR_MALFORMED;
  289. }
  290.  
  291. + if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets)
  292. + return ERROR_OUT_OF_RANGE;
  293. +
  294. mSampleToChunkEntries =
  295. - new SampleToChunkEntry[mNumSampleToChunkOffsets];
  296. + new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets];
  297. + if (!mSampleToChunkEntries)
  298. + return ERROR_OUT_OF_RANGE;
  299.  
  300. for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {
  301. uint8_t buffer[12];
  302. @@ -331,6 +336,10 @@
  303.  
  304. mTimeToSampleCount = U32_AT(&header[4]);
  305. mTimeToSample = new uint32_t[mTimeToSampleCount * 2];
  306. + mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2];
  307. + if (!mTimeToSample)
  308. + return ERROR_OUT_OF_RANGE;
  309. +
  310.  
  311. size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;
  312. if (mDataSource->readAt(
  313. @@ -373,6 +382,10 @@
  314.  
  315. mNumCompositionTimeDeltaEntries = numEntries;
  316. mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries];
  317. + mCompositionTimeDeltaEntries = new (std::nothrow) uint32_t[2 * numEntries];
  318. + if (!mCompositionTimeDeltaEntries)
  319. + return ERROR_OUT_OF_RANGE;
  320. +
  321.  
  322. if (mDataSource->readAt(
  323. data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8)
  324. @@ -417,7 +430,10 @@
  325. ALOGV("Table of sync samples is empty or has only a single entry!");
  326. }
  327.  
  328. - mSyncSamples = new uint32_t[mNumSyncSamples];
  329. + mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples];
  330. + if (!mSyncSamples)
  331. + return ERROR_OUT_OF_RANGE;
  332. +
  333. size_t size = mNumSyncSamples * sizeof(uint32_t);
  334. if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)
  335. != (ssize_t)size) {
  336. @@ -485,7 +501,9 @@
  337. return;
  338. }
  339.  
  340. - mSampleTimeEntries = new SampleTimeEntry[mNumSampleSizes];
  341. + mSampleTimeEntries = new (std::nothrow) SampleTimeEntry[mNumSampleSizes];
  342. + if (!mSampleTimeEntries)
  343. + return;
  344.  
  345. uint32_t sampleIndex = 0;
  346. uint32_t sampleTime = 0;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!