commit 8370c7ad4136ad7e0787d5a91ccfa3d63cfbe5cc
author Andreas Huber <andih@google.com> Fri May 18 13:08:14 2012 -0700
committer Andreas Huber <andih@google.com> Fri May 18 13:46:24 2012 -0700
tree 581379729389cbea7652272117fd9dc81feff1f8
parent 7c2af29ebced41b1b7ed32910cc9b587fb8bbf5c

Instead of asserting on malformed ADTS headers or insufficient data,

stop decoding and signal a runtime error.

Change-Id: Ib66a17a2908273f65a92999951439cc6f0752164
related-to-bug: 6519161

media/libstagefright/codecs/aacdec/SoftAAC2.cpp

diff --git a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
index b5a8da8..9f6db4c 100644
--- a/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
+++ b/media/libstagefright/codecs/aacdec/SoftAAC2.cpp
@@ -21,6 +21,7 @@
 
 #include <media/stagefright/foundation/ADebug.h>
 #include <media/stagefright/foundation/hexdump.h>
+#include <media/stagefright/MediaErrors.h>
 
 #define FILEREAD_MAX_LAYERS 2
 
@@ -336,24 +337,48 @@
 
             const uint8_t *adtsHeader = inHeader->pBuffer + inHeader->nOffset;
 
-            CHECK_GE(inHeader->nFilledLen, 7);
+            bool signalError = false;
+            if (inHeader->nFilledLen < 7) {
+                ALOGE("Audio data too short to contain even the ADTS header. "
+                      "Got %ld bytes.", inHeader->nFilledLen);
+                hexdump(adtsHeader, inHeader->nFilledLen);
+                signalError = true;
+            } else {
+                bool protectionAbsent = (adtsHeader[1] & 1);
 
-            bool protectionAbsent = (adtsHeader[1] & 1);
+                unsigned aac_frame_length =
+                    ((adtsHeader[3] & 3) << 11)
+                    | (adtsHeader[4] << 3)
+                    | (adtsHeader[5] >> 5);
 
-            unsigned aac_frame_length =
-                ((adtsHeader[3] & 3) << 11)
-                | (adtsHeader[4] << 3)
-                | (adtsHeader[5] >> 5);
+                if (inHeader->nFilledLen < aac_frame_length) {
+                    ALOGE("Not enough audio data for the complete frame. "
+                          "Got %ld bytes, frame size according to the ADTS "
+                          "header is %u bytes.",
+                          inHeader->nFilledLen, aac_frame_length);
+                    hexdump(adtsHeader, inHeader->nFilledLen);
+                    signalError = true;
+                } else {
+                    adtsHeaderSize = (protectionAbsent ? 7 : 9);
 
-            CHECK_GE(inHeader->nFilledLen, aac_frame_length);
+                    inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize;
+                    inBufferLength[0] = aac_frame_length - adtsHeaderSize;
 
-            adtsHeaderSize = (protectionAbsent ? 7 : 9);
+                    inHeader->nOffset += adtsHeaderSize;
+                    inHeader->nFilledLen -= adtsHeaderSize;
+                }
 
-            inBuffer[0] = (UCHAR *)adtsHeader + adtsHeaderSize;
-            inBufferLength[0] = aac_frame_length - adtsHeaderSize;
+                if (signalError) {
+                    mSignalledError = true;
 
-            inHeader->nOffset += adtsHeaderSize;
-            inHeader->nFilledLen -= adtsHeaderSize;
+                    notify(OMX_EventError,
+                           OMX_ErrorStreamCorrupt,
+                           ERROR_MALFORMED,
+                           NULL);
+
+                    return;
+                }
+            }
         } else {
             inBuffer[0] = inHeader->pBuffer + inHeader->nOffset;
             inBufferLength[0] = inHeader->nFilledLen;