commit 443a1aa7dbf01d71661535ec10b253c5ef5c2f58
author Marco Nelissen <marcone@google.com> Mon Nov 14 20:58:06 2016 +0000
committer android-build-merger <android-build-merger@google.com> Mon Nov 14 20:58:06 2016 +0000
tree d7d2cba1fdfb08655667a3618434f057ee5b9624
parent 61249e2feb6cd86aac6caea15ac1e0a37073f7f6
parent a0b2e1682f07d19541063bd581d917940f6dfa1b

Make VBRISeeker more robust am: 7fdd36418e am: ae0cffaced am: 82642824a5 am: c236ae3ad0 am: 43dad372e7 am: aa8c778d64
am: a0b2e1682f

Change-Id: I75153c516c617ac0f11913c5a0f9630daa56f09b

media/libstagefright/VBRISeeker.cpp

diff --git a/media/libstagefright/VBRISeeker.cpp b/media/libstagefright/VBRISeeker.cpp
index 8a0fcac..5067ddc 100644
--- a/media/libstagefright/VBRISeeker.cpp
+++ b/media/libstagefright/VBRISeeker.cpp
@@ -83,8 +83,23 @@
          scale,
          entrySize);
 
+    if (entrySize > 4) {
+        ALOGE("invalid VBRI entry size: %zu", entrySize);
+        return NULL;
+    }
+
+    sp<VBRISeeker> seeker = new (std::nothrow) VBRISeeker;
+    if (seeker == NULL) {
+        ALOGW("Couldn't allocate VBRISeeker");
+        return NULL;
+    }
+
     size_t totalEntrySize = numEntries * entrySize;
-    uint8_t *buffer = new uint8_t[totalEntrySize];
+    uint8_t *buffer = new (std::nothrow) uint8_t[totalEntrySize];
+    if (!buffer) {
+        ALOGW("Couldn't allocate %zu bytes", totalEntrySize);
+        return NULL;
+    }
 
     n = source->readAt(pos + sizeof(vbriHeader), buffer, totalEntrySize);
     if (n < (ssize_t)totalEntrySize) {
@@ -94,7 +109,6 @@
         return NULL;
     }
 
-    sp<VBRISeeker> seeker = new VBRISeeker;
     seeker->mBasePos = post_id3_pos + frameSize;
     // only update mDurationUs if the calculated duration is valid (non zero)
     // otherwise, leave duration at -1 so that getDuration() and getOffsetForTime()