Merge "Fix timedtext parsing" into klp-dev
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 073c53f..28c9c7c 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -844,11 +844,14 @@
}
}
- size_t outLen = 3 * size / 4 - padding;
-
- *outSize = outLen;
+ // We divide first to avoid overflow. It's OK to do this because we
+ // already made sure that size % 4 == 0.
+ size_t outLen = (size / 4) * 3 - padding;
void *buffer = malloc(outLen);
+ if (buffer == NULL) {
+ return NULL;
+ }
uint8_t *out = (uint8_t *)buffer;
size_t j = 0;
@@ -867,10 +870,10 @@
} else if (c == '/') {
value = 63;
} else if (c != '=') {
- return NULL;
+ break;
} else {
if (i < n - padding) {
- return NULL;
+ break;
}
value = 0;
@@ -888,6 +891,13 @@
}
}
+ // Check if we exited the loop early.
+ if (j < outLen) {
+ free(buffer);
+ return NULL;
+ }
+
+ *outSize = outLen;
return (uint8_t *)buffer;
}
diff --git a/media/libstagefright/Utils.cpp b/media/libstagefright/Utils.cpp
index 80d8cef..090c891 100644
--- a/media/libstagefright/Utils.cpp
+++ b/media/libstagefright/Utils.cpp
@@ -160,8 +160,10 @@
const uint8_t *ptr = (const uint8_t *)data;
- CHECK(size >= 7);
- CHECK_EQ((unsigned)ptr[0], 1u); // configurationVersion == 1
+ if (size < 7 || ptr[0] != 1) { // configurationVersion == 1
+ ALOGE("b/23680780");
+ return BAD_VALUE;
+ }
uint8_t profile = ptr[1];
uint8_t level = ptr[3];
@@ -187,7 +189,10 @@
buffer->setRange(0, 0);
for (size_t i = 0; i < numSeqParameterSets; ++i) {
- CHECK(size >= 2);
+ if (size < 2) {
+ ALOGE("b/23680780");
+ return BAD_VALUE;
+ }
size_t length = U16_AT(ptr);
ptr += 2;
@@ -216,13 +221,19 @@
}
buffer->setRange(0, 0);
- CHECK(size >= 1);
+ if (size < 1) {
+ ALOGE("b/23680780");
+ return BAD_VALUE;
+ }
size_t numPictureParameterSets = *ptr;
++ptr;
--size;
for (size_t i = 0; i < numPictureParameterSets; ++i) {
- CHECK(size >= 2);
+ if (size < 2) {
+ ALOGE("b/23680780");
+ return BAD_VALUE;
+ }
size_t length = U16_AT(ptr);
ptr += 2;