commit 8c805395e5d82efb12386a27988dfaab7f8af312
author Marco Nelissen <marcone@google.com> Mon May 15 17:09:55 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon May 15 17:09:55 2017 +0000
tree 02cae9c491c1a0fa8fff81271410477e9245576f
parent b6bf46944fb0a2f14b3265559ad762d691b2a9ba
parent 433dacf8db10e8f0984240ee2fd591c5b6564dc9

Limit ogg packet size am: bf928560ac am: f349435fcf am: 086cee9d89 am: b65b0a8367 am: 412be4b735 am: 045c64fe94 am: fd7cba4d0e
am: 433dacf8db

Change-Id: Ibffd67ae4a98c0b38c42f68efcb8cc7b401deb0c

media/libstagefright/OggExtractor.cpp

diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 578171f..f953874 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -694,7 +694,21 @@
             if (buffer != NULL) {
                 fullSize += buffer->range_length();
             }
-            MediaBuffer *tmp = new MediaBuffer(fullSize);
+            if (fullSize > 16 * 1024 * 1024) { // arbitrary limit of 16 MB packet size
+                if (buffer != NULL) {
+                    buffer->release();
+                }
+                ALOGE("b/36592202");
+                return ERROR_MALFORMED;
+            }
+            MediaBuffer *tmp = new (std::nothrow) MediaBuffer(fullSize);
+            if (tmp == NULL) {
+                if (buffer != NULL) {
+                    buffer->release();
+                }
+                ALOGE("b/36592202");
+                return ERROR_MALFORMED;
+            }
             if (buffer != NULL) {
                 memcpy(tmp->data(), buffer->data(), buffer->range_length());
                 tmp->set_range(0, buffer->range_length());