Limit ogg packet size am: bf928560ac am: f349435fcf am: 086cee9d89 am: b65b0a8367 am: 412be4b735 am: 045c64fe94 am: fd7cba4d0e am: 433dacf8db am: 8c805395e5 am: bf913622a7 am: d68e4e45b0 am: 90f3fe5f66 am: 08d9bb8cb6
am: 398fa51c1c
Change-Id: I9315cf95e40ad3966cf1de410cddc78651bdb6ef
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 37e8e9c..ebbe510 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -697,7 +697,21 @@
if (buffer != NULL) {
fullSize += buffer->range_length();
}
- MediaBuffer *tmp = new MediaBuffer(fullSize);
+ if (fullSize > 16 * 1024 * 1024) { // arbitrary limit of 16 MB packet size
+ if (buffer != NULL) {
+ buffer->release();
+ }
+ ALOGE("b/36592202");
+ return ERROR_MALFORMED;
+ }
+ MediaBuffer *tmp = new (std::nothrow) MediaBuffer(fullSize);
+ if (tmp == NULL) {
+ if (buffer != NULL) {
+ buffer->release();
+ }
+ ALOGE("b/36592202");
+ return ERROR_MALFORMED;
+ }
if (buffer != NULL) {
memcpy(tmp->data(), buffer->data(), buffer->range_length());
tmp->set_range(0, buffer->range_length());