commit b3508ea2875cbec309a83aa4b4260457da157a65
author Byeongjo Park <bjo.park@samsung.com> Tue Jun 29 22:02:25 2021 +0900
committer Lajos Molnar <lajos@google.com> Thu Jul 15 14:25:29 2021 -0700
tree 0b0c987a2dee32e8def2ab66ee7cc83d1d81c307
parent a36bb883e32de52e21af0bc954f36d77ccfbae3f

VT: Wrong size buffer allocation of vps/sps/pps.

[Problem] H.265 stream can not be decoded due to
  an invalid header provided.
[Cause] vps/sps/pps buffers are allocated with smaller
  size than required.
[Solution] Correct a size to allocate buffers.

* Some expressions used in this H.265 vps/sps/pps parser
  copied on the same function part of H.264 for consistency.

bug: 192326376

Signed-off-by: Byeongjo Park <bjo.park@samsung.com>
Merged-in: Ia07090468e382b3a4bf62e3ca5659e292e7ee3a5
Change-Id: Ia07090468e382b3a4bf62e3ca5659e292e7ee3a5
Signed-off-by: Kim Sungyeon <sy85.kim@samsung.com>

media/libstagefright/rtsp/ARTPWriter.cpp

diff --git a/media/libstagefright/rtsp/ARTPWriter.cpp b/media/libstagefright/rtsp/ARTPWriter.cpp
index ec70952..8aabc09 100644
--- a/media/libstagefright/rtsp/ARTPWriter.cpp
+++ b/media/libstagefright/rtsp/ARTPWriter.cpp
@@ -327,16 +327,17 @@
 
     while (buffer->range_length() > 0) {
         const uint8_t *NALPtr = (const uint8_t *)buffer->data() + buffer->range_offset();
+        uint8_t nalType = (*NALPtr) & H264_NALU_MASK;
 
         MediaBufferBase **targetPtr = NULL;
-        if ((*NALPtr & H264_NALU_MASK) == H264_NALU_SPS) {
+        if (nalType == H264_NALU_SPS) {
             targetPtr = spsBuffer;
-        } else if ((*NALPtr & H264_NALU_MASK) == H264_NALU_PPS) {
+        } else if (nalType == H264_NALU_PPS) {
             targetPtr = ppsBuffer;
         } else {
             return;
         }
-        ALOGV("SPS(7) or PPS(8) found. Type %d", *NALPtr & H264_NALU_MASK);
+        ALOGV("SPS(7) or PPS(8) found. Type %d", nalType);
 
         uint32_t bufferSize = buffer->range_length();
         MediaBufferBase *&target = *targetPtr;
@@ -417,18 +418,18 @@
             }
         }
 
+        uint32_t targetSize;
         if (target != NULL) {
             target->release();
         }
-        uint32_t targetSize;
         // note that targetSize is never 0 as the first byte is never part
         // of a start prefix
         if (isBoundFound) {
             targetSize = i - SPCSize + 1;
-            target = MediaBufferBase::Create(j);
+            target = MediaBufferBase::Create(targetSize);
             memcpy(target->data(),
                    (const uint8_t *)buffer->data() + buffer->range_offset(),
-                   j);
+                   targetSize);
             buffer->set_range(buffer->range_offset() + targetSize + SPCSize,
                               buffer->range_length() - targetSize - SPCSize);
         } else {