Merge "Avoid parsing CC SEI payload beyond buffer end" am: 1eb3cb0 am: 9f954b0 * commit '9f954b0b7182fb38e9660fff70aa0f26d42ff741': Avoid parsing CC SEI payload beyond buffer end

commit: 5180f7fe109f499955e00921759b92e4b3fbb1e8 [log] [tgz]
author: Patrik2 Carlsson <patrik2.carlsson@sonymobile.com> Fri Mar 18 15:03:31 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Fri Mar 18 15:03:31 2016 +0000
tree: 8dc80ee4376bbd810d62959291893eec8a6942c0
parent: b9d8ad8e35c4ec31951f64dfb5f64e9e4073f0a1 [diff]
parent: 9f954b0b7182fb38e9660fff70aa0f26d42ff741 [diff]
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
index 9587e3c..73b07bb 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp

@@ -256,6 +256,12 @@
             payload_size += last_byte;
         } while (last_byte == 0xFF);
 
+        if (payload_size > SIZE_MAX / 8
+                || !br.atLeastNumBitsLeft(payload_size * 8)) {
+            ALOGV("Malformed SEI payload");
+            break;
+        }
+
         // sei_payload()
         if (payload_type == 4) {
             bool isCC = false;
commit	5180f7fe109f499955e00921759b92e4b3fbb1e8	[log] [tgz]
author	Patrik2 Carlsson <patrik2.carlsson@sonymobile.com>	Fri Mar 18 15:03:31 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Fri Mar 18 15:03:31 2016 +0000
tree	8dc80ee4376bbd810d62959291893eec8a6942c0
parent	b9d8ad8e35c4ec31951f64dfb5f64e9e4073f0a1 [diff]
parent	9f954b0b7182fb38e9660fff70aa0f26d42ff741 [diff]