mpeg2ts: Handle bitstream shortfall errors gracefully
Implemented a numBitsLeft check before invoking the getBits method to
prevent a crash.
Added a check to unsigned integer variable in
parseProgramAssociationTable.
Bug: 155700550
Bug: 316035064
Test: ./mpeg2ts_extractor_fuzzer
Test: atest Mpeg2tsUnitTest
Test: atest CtsMediaExtractorTestCases
Change-Id: I1ef4c6bbb2916babf7528456f5c56d55a3e0da70
diff --git a/media/module/mpeg2ts/ATSParser.cpp b/media/module/mpeg2ts/ATSParser.cpp
index 86187bd..88c3cc2 100644
--- a/media/module/mpeg2ts/ATSParser.cpp
+++ b/media/module/mpeg2ts/ATSParser.cpp
@@ -440,6 +440,10 @@
ATSParser::CADescriptor *caDescriptor) {
bool found = false;
while (infoLength > 2) {
+ if (br->numBitsLeft() < 16) {
+ ALOGE("Not enough data left in bitreader");
+ return false;
+ }
unsigned descriptor_tag = br->getBits(8);
ALOGV(" tag = 0x%02x", descriptor_tag);
@@ -452,6 +456,10 @@
}
if (descriptor_tag == DESCRIPTOR_CA && descriptor_length >= 4) {
found = true;
+ if (br->numBitsLeft() < 32) {
+ ALOGE("Not enough data left in bitreader");
+ return false;
+ }
caDescriptor->mSystemID = br->getBits(16);
caDescriptor->mPID = br->getBits(16) & 0x1fff;
infoLength -= 4;
@@ -460,14 +468,24 @@
break;
} else {
infoLength -= descriptor_length;
- br->skipBits(descriptor_length * 8);
+ if (!br->skipBits(descriptor_length * 8)) {
+ ALOGE("Not enough data left in bitreader");
+ return false;
+ }
}
}
- br->skipBits(infoLength * 8);
+ if (!br->skipBits(infoLength * 8)) {
+ ALOGE("Not enough data left in bitreader");
+ return false;
+ }
return found;
}
status_t ATSParser::Program::parseProgramMap(ABitReader *br) {
+ if (br->numBitsLeft() < 10) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned table_id = br->getBits(8);
ALOGV(" table_id = %u", table_id);
if (table_id != 0x02u) {
@@ -482,6 +500,10 @@
}
br->skipBits(1); // '0'
+ if (br->numBitsLeft() < 86) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
MY_LOGV(" reserved = %u", br->getBits(2));
unsigned section_length = br->getBits(12);
@@ -526,6 +548,10 @@
while (infoBytesRemaining >= 5) {
StreamInfo info;
+ if (br->numBitsLeft() < 40) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
info.mType = br->getBits(8);
ALOGV(" stream_type = 0x%02x", info.mType);
MY_LOGV(" reserved = %u", br->getBits(3));
@@ -545,6 +571,10 @@
info.mAudioPresentations.clear();
bool hasStreamCA = false;
while (ES_info_length > 2 && infoBytesRemaining >= 0) {
+ if (br->numBitsLeft() < 16) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned descriptor_tag = br->getBits(8);
ALOGV(" tag = 0x%02x", descriptor_tag);
@@ -562,21 +592,39 @@
if (descriptor_tag == DESCRIPTOR_DTS) {
info.mType = STREAMTYPE_DTS;
ES_info_length -= descriptor_length;
- br->skipBits(descriptor_length * 8);
+ if (!br->skipBits(descriptor_length * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
} else if (descriptor_tag == DESCRIPTOR_CA && descriptor_length >= 4) {
hasStreamCA = true;
+ if (br->numBitsLeft() < 32) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
streamCA.mSystemID = br->getBits(16);
streamCA.mPID = br->getBits(16) & 0x1fff;
ES_info_length -= descriptor_length;
descriptor_length -= 4;
streamCA.mPrivateData.assign(br->data(), br->data() + descriptor_length);
- br->skipBits(descriptor_length * 8);
+ if (!br->skipBits(descriptor_length * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
} else if (info.mType == STREAMTYPE_PES_PRIVATE_DATA &&
descriptor_tag == DESCRIPTOR_DVB_EXTENSION && descriptor_length >= 1) {
+ if (br->numBitsLeft() < 8) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned descTagExt = br->getBits(8);
ALOGV(" tag_ext = 0x%02x", descTagExt);
ES_info_length -= descriptor_length;
descriptor_length--;
+ if (br->numBitsLeft() < (descriptor_length * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
// The AC4 descriptor is used in the PSI PMT to identify streams which carry AC4
// audio.
if (descTagExt == EXT_DESCRIPTOR_DVB_AC4) {
@@ -594,6 +642,10 @@
br->skipBits(descriptor_length * 8);
} else if (descTagExt == EXT_DESCRIPTOR_DVB_AUDIO_PRESELECTION &&
descriptor_length >= 1) {
+ if (br->numBitsLeft() < 8) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
// DVB BlueBook A038 Table 110
unsigned num_preselections = br->getBits(5);
br->skipBits(3); // reserved
@@ -671,11 +723,17 @@
info.mAudioPresentations.push_back(std::move(ap));
}
} else {
- br->skipBits(descriptor_length * 8);
+ if (!br->skipBits(descriptor_length * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
}
} else {
ES_info_length -= descriptor_length;
- br->skipBits(descriptor_length * 8);
+ if (!br->skipBits(descriptor_length * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
}
}
if (hasStreamCA && !mParser->mCasManager->addStream(
@@ -694,6 +752,10 @@
if (infoBytesRemaining != 0) {
ALOGW("Section data remains unconsumed");
}
+ if (br->numBitsLeft() < 32) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned crc = br->getBits(32);
if (crc != mPMT_CRC) {
audioPresentationsChanged = true;
@@ -1261,6 +1323,10 @@
status_t ATSParser::Stream::parsePES(ABitReader *br, SyncEvent *event) {
const uint8_t *basePtr = br->data();
+ if (br->numBitsLeft() < 48) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned packet_startcode_prefix = br->getBits(24);
ALOGV("packet_startcode_prefix = 0x%08x", packet_startcode_prefix);
@@ -1286,10 +1352,14 @@
&& stream_id != 0xff // program_stream_directory
&& stream_id != 0xf2 // DSMCC
&& stream_id != 0xf8) { // H.222.1 type E
- if (br->getBits(2) != 2u) {
+ if (br->numBitsLeft() < 2 || br->getBits(2) != 2u) {
return ERROR_MALFORMED;
}
+ if (br->numBitsLeft() < 22) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned PES_scrambling_control = br->getBits(2);
ALOGV("PES_scrambling_control = %u", PES_scrambling_control);
@@ -1328,19 +1398,19 @@
return ERROR_MALFORMED;
}
- if (br->getBits(4) != PTS_DTS_flags) {
+ if (br->numBitsLeft() < 7 || br->getBits(4) != PTS_DTS_flags) {
return ERROR_MALFORMED;
}
PTS = ((uint64_t)br->getBits(3)) << 30;
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 16 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
PTS |= ((uint64_t)br->getBits(15)) << 15;
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 16 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
PTS |= br->getBits(15);
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 1 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
@@ -1353,20 +1423,20 @@
return ERROR_MALFORMED;
}
- if (br->getBits(4) != 1u) {
+ if (br->numBitsLeft() < 7 || br->getBits(4) != 1u) {
return ERROR_MALFORMED;
}
DTS = ((uint64_t)br->getBits(3)) << 30;
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 16 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
DTS |= ((uint64_t)br->getBits(15)) << 15;
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 16 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
DTS |= br->getBits(15);
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 1 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
@@ -1381,22 +1451,30 @@
return ERROR_MALFORMED;
}
+ if (br->numBitsLeft() < 5) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
br->getBits(2);
uint64_t ESCR = ((uint64_t)br->getBits(3)) << 30;
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 16 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
ESCR |= ((uint64_t)br->getBits(15)) << 15;
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 16 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
ESCR |= br->getBits(15);
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 1 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
ALOGV("ESCR = %" PRIu64, ESCR);
+ if (br->numBitsLeft() < 10) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
MY_LOGV("ESCR_extension = %u", br->getBits(9));
if (br->getBits(1) != 1u) {
@@ -1411,18 +1489,25 @@
return ERROR_MALFORMED;
}
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 1 || br->getBits(1) != 1u) {
+ return ERROR_MALFORMED;
+ }
+ if (br->numBitsLeft() < 22) {
+ ALOGE("Not enough data left in bitreader!");
return ERROR_MALFORMED;
}
MY_LOGV("ES_rate = %u", br->getBits(22));
- if (br->getBits(1) != 1u) {
+ if (br->numBitsLeft() < 1 || br->getBits(1) != 1u) {
return ERROR_MALFORMED;
}
optional_bytes_remaining -= 3;
}
- br->skipBits(optional_bytes_remaining * 8);
+ if (!br->skipBits(optional_bytes_remaining * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
// ES data follows.
int32_t pesOffset = br->data() - basePtr;
@@ -1450,7 +1535,10 @@
PTS_DTS_flags, PTS, DTS, PES_scrambling_control,
br->data(), dataLength, pesOffset, event);
- br->skipBits(dataLength * 8);
+ if (!br->skipBits(dataLength * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
} else {
onPayloadData(
PTS_DTS_flags, PTS, DTS, PES_scrambling_control,
@@ -1465,15 +1553,13 @@
payloadSizeBits / 8, pesOffset);
}
} else if (stream_id == 0xbe) { // padding_stream
- if (PES_packet_length == 0u) {
+ if (PES_packet_length == 0u || !br->skipBits(PES_packet_length * 8)) {
return ERROR_MALFORMED;
}
- br->skipBits(PES_packet_length * 8);
} else {
- if (PES_packet_length == 0u) {
+ if (PES_packet_length == 0u || !br->skipBits(PES_packet_length * 8)) {
return ERROR_MALFORMED;
}
- br->skipBits(PES_packet_length * 8);
}
return OK;
@@ -1481,6 +1567,10 @@
uint32_t ATSParser::Stream::getPesScramblingControl(
ABitReader *br, int32_t *pesOffset) {
+ if (br->numBitsLeft() < 24) {
+ ALOGE("Not enough data left in bitreader!");
+ return 0;
+ }
unsigned packet_startcode_prefix = br->getBits(24);
ALOGV("packet_startcode_prefix = 0x%08x", packet_startcode_prefix);
@@ -1491,6 +1581,7 @@
}
if (br->numBitsLeft() < 48) {
+ ALOGE("Not enough data left in bitreader!");
return 0;
}
@@ -1987,12 +2078,20 @@
}
void ATSParser::parseProgramAssociationTable(ABitReader *br) {
+ if (br->numBitsLeft() < 8) {
+ ALOGE("Not enough data left in bitreader!");
+ return;
+ }
unsigned table_id = br->getBits(8);
ALOGV(" table_id = %u", table_id);
if (table_id != 0x00u) {
ALOGE("PAT data error!");
return ;
}
+ if (br->numBitsLeft() < 56) {
+ ALOGE("Not enough data left in bitreader!");
+ return;
+ }
unsigned section_syntax_indictor = br->getBits(1);
ALOGV(" section_syntax_indictor = %u", section_syntax_indictor);
@@ -2009,9 +2108,17 @@
MY_LOGV(" section_number = %u", br->getBits(8));
MY_LOGV(" last_section_number = %u", br->getBits(8));
+ // check for unsigned integer overflow before assigning it to numProgramBytes
+ if (section_length < 9) {
+ return;
+ }
size_t numProgramBytes = (section_length - 5 /* header */ - 4 /* crc */);
for (size_t i = 0; i < numProgramBytes / 4; ++i) {
+ if (br->numBitsLeft() < 32) {
+ ALOGE("Not enough data left in bitreader!");
+ return;
+ }
unsigned program_number = br->getBits(16);
ALOGV(" program_number = %u", program_number);
@@ -2049,6 +2156,10 @@
}
}
+ if (br->numBitsLeft() < 32) {
+ ALOGE("Not enough data left in bitreader!");
+ return;
+ }
MY_LOGV(" CRC = 0x%08x", br->getBits(32));
}
@@ -2070,9 +2181,16 @@
section->clear();
}
+ if (br->numBitsLeft() < 8) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned skip = br->getBits(8);
section->setSkipBytes(skip + 1); // skip filler bytes + pointer field itself
- br->skipBits(skip * 8);
+ if (!br->skipBits(skip * 8)) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
}
if (br->numBitsLeft() % 8 != 0) {
@@ -2157,6 +2275,10 @@
status_t ATSParser::parseAdaptationField(
ABitReader *br, unsigned PID, unsigned *random_access_indicator) {
*random_access_indicator = 0;
+ if (br->numBitsLeft() < 8) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned adaptation_field_length = br->getBits(8);
if (adaptation_field_length > 0) {
@@ -2227,6 +2349,10 @@
status_t ATSParser::parseTS(ABitReader *br, SyncEvent *event) {
ALOGV("---");
+ if (br->numBitsLeft() < 32) {
+ ALOGE("Not enough data left in bitreader!");
+ return ERROR_MALFORMED;
+ }
unsigned sync_byte = br->getBits(8);
if (sync_byte != 0x47u) {
ALOGE("[error] parseTS: return error as sync_byte=0x%x", sync_byte);