Merge "Avoid parsing CC SEI payload beyond buffer end" am: 1eb3cb0
am: 9f954b0
* commit '9f954b0b7182fb38e9660fff70aa0f26d42ff741':
Avoid parsing CC SEI payload beyond buffer end
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
index 9587e3c..73b07bb 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
@@ -256,6 +256,12 @@
payload_size += last_byte;
} while (last_byte == 0xFF);
+ if (payload_size > SIZE_MAX / 8
+ || !br.atLeastNumBitsLeft(payload_size * 8)) {
+ ALOGV("Malformed SEI payload");
+ break;
+ }
+
// sei_payload()
if (payload_type == 4) {
bool isCC = false;