commit 63dc6cf50582fa13702c59f43155f6c18312178b
author TreeHugger Robot <treehugger-gerrit@google.com> Tue Apr 02 23:36:44 2019 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Tue Apr 02 23:36:44 2019 +0000
tree 7333237bf7ef966510a84721d4252a016c37e07c
parent 7acce1b21da72e7ffd0309814be8bef125ee23b7
parent 665f8cd61aaca2f0094c5d0a067bba3838ff1c9b

Merge "Sanity checking when parsing 'trun' box."

media/extractors/mp4/MPEG4Extractor.cpp

diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 88045d7..9dab023 100755
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -5239,8 +5239,30 @@
         sampleCtsOffset = 0;
     }
 
-    if (size < (off64_t)sampleCount * bytesPerSample) {
-        return -EINVAL;
+    if (bytesPerSample != 0) {
+        if (size < (off64_t)sampleCount * bytesPerSample) {
+            return -EINVAL;
+        }
+    } else {
+        if (sampleDuration == 0) {
+            ALOGW("b/123389881 sampleDuration == 0");
+            android_errorWriteLog(0x534e4554, "124389881 zero");
+            return -EINVAL;
+        }
+
+        // apply some sanity (vs strict legality) checks
+        //
+        // clamp the count of entries in the trun box, to avoid spending forever parsing
+        // this box. Clamping (vs error) lets us play *something*.
+        // 1 million is about 400 msecs on a Pixel3, should be no more than a couple seconds
+        // on the slowest devices.
+        static constexpr uint32_t kMaxTrunSampleCount = 1000000;
+        if (sampleCount > kMaxTrunSampleCount) {
+            ALOGW("b/123389881 clamp sampleCount(%u) @ kMaxTrunSampleCount(%u)",
+                  sampleCount, kMaxTrunSampleCount);
+            android_errorWriteLog(0x534e4554, "124389881 count");
+
+        }
     }
 
     Sample tmp;