add trunksize as restriction for function parseClearEncryptedSizes()
Without trunksize as restriction, function parseClearEncryptedSized()
can read the rest of file. If the file has a large number of saiz trunk,
large number of bytes will be copied, which can lead to high cost of
CPU time.
Bug: 124777526
Test: please see #3 and #8 in bug report:
push senc.mp4 to devices's sdcard
open photo app
manuly print log
Change-Id: I854765c82d02d541b92f2658673aa4ce61fb5412
(cherry picked from commit aa15fefa185278a549fd72dd1b79ae73ca5e4436)
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index ce82861..35978e3 100755
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -160,8 +160,9 @@
status_t parseTrackFragmentRun(off64_t offset, off64_t size);
status_t parseSampleAuxiliaryInformationSizes(off64_t offset, off64_t size);
status_t parseSampleAuxiliaryInformationOffsets(off64_t offset, off64_t size);
- status_t parseClearEncryptedSizes(off64_t offset, bool isSubsampleEncryption, uint32_t flags);
- status_t parseSampleEncryption(off64_t offset);
+ status_t parseClearEncryptedSizes(
+ off64_t offset, bool isSubsampleEncryption, uint32_t flags, off64_t size);
+ status_t parseSampleEncryption(off64_t offset, off64_t size);
// returns -1 for invalid layer ID
int32_t parseHEVCLayerId(const uint8_t *data, size_t size);
@@ -5188,7 +5189,7 @@
case FOURCC("senc"): {
status_t err;
- if ((err = parseSampleEncryption(data_offset)) != OK) {
+ if ((err = parseSampleEncryption(data_offset, chunk_data_size)) != OK) {
return err;
}
*offset += chunk_size;
@@ -5380,12 +5381,13 @@
off64_t drmoffset = mCurrentSampleInfoOffsets[0]; // from moof
drmoffset += mCurrentMoofOffset;
+ size -= mCurrentMoofOffset;
- return parseClearEncryptedSizes(drmoffset, false, 0);
+ return parseClearEncryptedSizes(drmoffset, false, 0, size);
}
status_t MPEG4Source::parseClearEncryptedSizes(
- off64_t offset, bool isSubsampleEncryption, uint32_t flags) {
+ off64_t offset, bool isSubsampleEncryption, uint32_t flags, off64_t size) {
int32_t ivlength;
if (!AMediaFormat_getInt32(mFormat, AMEDIAFORMAT_KEY_CRYPTO_DEFAULT_IV_SIZE, &ivlength)) {
@@ -5400,10 +5402,14 @@
uint32_t sampleCount = mCurrentSampleInfoCount;
if (isSubsampleEncryption) {
+ if(size < 4){
+ return ERROR_MALFORMED;
+ }
if (!mDataSource->getUInt32(offset, &sampleCount)) {
return ERROR_IO;
}
offset += 4;
+ size -= 4;
}
// read CencSampleAuxiliaryDataFormats
@@ -5418,11 +5424,15 @@
}
memset(smpl->iv, 0, 16);
+ if(size < ivlength){
+ return ERROR_MALFORMED;
+ }
if (mDataSource->readAt(offset, smpl->iv, ivlength) != ivlength) {
return ERROR_IO;
}
offset += ivlength;
+ size -= ivlength;
bool readSubsamples;
if (isSubsampleEncryption) {
@@ -5437,13 +5447,20 @@
if (readSubsamples) {
uint16_t numsubsamples;
+ if(size < 2){
+ return ERROR_MALFORMED;
+ }
if (!mDataSource->getUInt16(offset, &numsubsamples)) {
return ERROR_IO;
}
offset += 2;
+ size -= 2;
for (size_t j = 0; j < numsubsamples; j++) {
uint16_t numclear;
uint32_t numencrypted;
+ if(size < 6){
+ return ERROR_MALFORMED;
+ }
if (!mDataSource->getUInt16(offset, &numclear)) {
return ERROR_IO;
}
@@ -5452,6 +5469,7 @@
return ERROR_IO;
}
offset += 4;
+ size -= 6;
smpl->clearsizes.add(numclear);
smpl->encryptedsizes.add(numencrypted);
}
@@ -5464,12 +5482,15 @@
return OK;
}
-status_t MPEG4Source::parseSampleEncryption(off64_t offset) {
+status_t MPEG4Source::parseSampleEncryption(off64_t offset, off64_t chunk_data_size) {
uint32_t flags;
+ if(chunk_data_size < 4) {
+ return ERROR_MALFORMED;
+ }
if (!mDataSource->getUInt32(offset, &flags)) { // actually version + flags
return ERROR_MALFORMED;
}
- return parseClearEncryptedSizes(offset + 4, true, flags);
+ return parseClearEncryptedSizes(offset + 4, true, flags, chunk_data_size - 4);
}
status_t MPEG4Source::parseTrackFragmentHeader(off64_t offset, off64_t size) {