commit 045c64fe94e4efee969958262f3d58baf48b0e56
author Marco Nelissen <marcone@google.com> Mon May 15 17:01:55 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon May 15 17:01:55 2017 +0000
tree b37f229c4e29646922b446a84120ebc55e75845f
parent 85f575dc67cf269cb42ea6937bbd853f0ef22ae5
parent 412be4b735610e6683e2db080ab2891b53b06510

Limit ogg packet size am: bf928560ac am: f349435fcf am: 086cee9d89 am: b65b0a8367
am: 412be4b735

Change-Id: I70263d5cb5fca57353337a60686d1468692819cf

media/libstagefright/OggExtractor.cpp

diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 0a720ac..98134b7 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -491,7 +491,21 @@
             if (buffer != NULL) {
                 fullSize += buffer->range_length();
             }
-            MediaBuffer *tmp = new MediaBuffer(fullSize);
+            if (fullSize > 16 * 1024 * 1024) { // arbitrary limit of 16 MB packet size
+                if (buffer != NULL) {
+                    buffer->release();
+                }
+                ALOGE("b/36592202");
+                return ERROR_MALFORMED;
+            }
+            MediaBuffer *tmp = new (std::nothrow) MediaBuffer(fullSize);
+            if (tmp == NULL) {
+                if (buffer != NULL) {
+                    buffer->release();
+                }
+                ALOGE("b/36592202");
+                return ERROR_MALFORMED;
+            }
             if (buffer != NULL) {
                 memcpy(tmp->data(), buffer->data(), buffer->range_length());
                 tmp->set_range(0, buffer->range_length());