Limit ogg packet size am: bf928560ac am: f349435fcf am: 086cee9d89 am: b65b0a8367 am: 412be4b735 am: 045c64fe94 am: fd7cba4d0e am: 433dacf8db am: 8c805395e5 am: bf913622a7 am: d68e4e45b0 am: 90f3fe5f66 am: 08d9bb8cb6 am: 398fa51c1c
am: a6a7b14909
Change-Id: I4b74843f8d4df0d682873b8635deafcc8624d419
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 0343786..e31c37c 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -697,7 +697,21 @@
if (buffer != NULL) {
fullSize += buffer->range_length();
}
- MediaBuffer *tmp = new MediaBuffer(fullSize);
+ if (fullSize > 16 * 1024 * 1024) { // arbitrary limit of 16 MB packet size
+ if (buffer != NULL) {
+ buffer->release();
+ }
+ ALOGE("b/36592202");
+ return ERROR_MALFORMED;
+ }
+ MediaBuffer *tmp = new (std::nothrow) MediaBuffer(fullSize);
+ if (tmp == NULL) {
+ if (buffer != NULL) {
+ buffer->release();
+ }
+ ALOGE("b/36592202");
+ return ERROR_MALFORMED;
+ }
if (buffer != NULL) {
memcpy(tmp->data(), buffer->data(), buffer->range_length());
tmp->set_range(0, buffer->range_length());