commit 467c853b1aa1b10a02a6a52972df7c2b6fa7e0b1
author Ray Essick <essick@google.com> Mon Mar 13 17:21:07 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon Mar 13 17:21:07 2017 +0000
tree 57eea24d2dd031c18371df9a59f25276686d0609
parent edbb831903bb664257c3e753244c1ab039677350
parent 98284d4fe08989025b831ea8225a9b95e4033367

Merge "Validate lengths in HEVC metadata parsing" into nyc-dev am: d4c1d61625 am: 8e1aef08e6 am: 3754af193c am: 0d9990d9f0
am: 98284d4fe0

Change-Id: I933545664aaf68c77cff760c023c364aa605e394

media/libstagefright/HevcUtils.cpp

diff --git a/media/libstagefright/HevcUtils.cpp b/media/libstagefright/HevcUtils.cpp
index 718710a..7d463a9 100644
--- a/media/libstagefright/HevcUtils.cpp
+++ b/media/libstagefright/HevcUtils.cpp
@@ -45,16 +45,32 @@
 }
 
 status_t HevcParameterSets::addNalUnit(const uint8_t* data, size_t size) {
+    if (size < 1) {
+        ALOGE("empty NAL b/35467107");
+        return ERROR_MALFORMED;
+    }
     uint8_t nalUnitType = (data[0] >> 1) & 0x3f;
     status_t err = OK;
     switch (nalUnitType) {
         case 32:  // VPS
+            if (size < 2) {
+                ALOGE("invalid NAL/VPS size b/35467107");
+                return ERROR_MALFORMED;
+            }
             err = parseVps(data + 2, size - 2);
             break;
         case 33:  // SPS
+            if (size < 2) {
+                ALOGE("invalid NAL/SPS size b/35467107");
+                return ERROR_MALFORMED;
+            }
             err = parseSps(data + 2, size - 2);
             break;
         case 34:  // PPS
+            if (size < 2) {
+                ALOGE("invalid NAL/PPS size b/35467107");
+                return ERROR_MALFORMED;
+            }
             err = parsePps(data + 2, size - 2);
             break;
         case 39:  // Prefix SEI