DO NOT MERGE - MPEG4Extractor: Check mLastTrack before dereferencing.
Bug: 31449945
Change-Id: If2708b3006c22393e80a2557f93d8a71e4e7bf16
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 8318848..eae35e7 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -861,6 +861,9 @@
}
}
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
mLastTrack->sampleTable = new SampleTable(mDataSource);
}
@@ -957,6 +960,9 @@
} else if (mHeaderTimescale == 0) {
ALOGW("ignoring edit list because timescale is 0");
} else {
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
off64_t entriesoffset = data_offset + 8;
uint64_t segment_duration;
int64_t media_time;
@@ -1008,6 +1014,9 @@
case FOURCC('f', 'r', 'm', 'a'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
uint32_t original_fourcc;
if (mDataSource->readAt(data_offset, &original_fourcc, 4) < 4) {
return ERROR_IO;
@@ -1027,6 +1036,9 @@
case FOURCC('t', 'e', 'n', 'c'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
if (chunk_size < 32) {
return ERROR_MALFORMED;
}
@@ -1077,6 +1089,9 @@
case FOURCC('t', 'k', 'h', 'd'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err;
if ((err = parseTrackHeader(data_offset, chunk_data_size)) != OK) {
return err;
@@ -1122,6 +1137,9 @@
case FOURCC('m', 'd', 'h', 'd'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
if (chunk_data_size < 4) {
return ERROR_MALFORMED;
}
@@ -1230,6 +1248,9 @@
uint32_t entry_count = U32_AT(&buffer[4]);
if (entry_count > 1) {
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
// For 3GPP timed text, there could be multiple tx3g boxes contain
// multiple text display formats. These formats will be used to
// display the timed text.
@@ -1264,6 +1285,9 @@
case FOURCC('s', 'a', 'm', 'r'):
case FOURCC('s', 'a', 'w', 'b'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
uint8_t buffer[8 + 20];
if (chunk_data_size < (ssize_t)sizeof(buffer)) {
// Basic AudioSampleEntry size.
@@ -1313,6 +1337,9 @@
case FOURCC('h', '2', '6', '3'):
case FOURCC('a', 'v', 'c', '1'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
mHasVideo = true;
uint8_t buffer[78];
@@ -1365,6 +1392,9 @@
case FOURCC('s', 't', 'c', 'o'):
case FOURCC('c', 'o', '6', '4'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err =
mLastTrack->sampleTable->setChunkOffsetParams(
chunk_type, data_offset, chunk_data_size);
@@ -1379,6 +1409,9 @@
case FOURCC('s', 't', 's', 'c'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err =
mLastTrack->sampleTable->setSampleToChunkParams(
data_offset, chunk_data_size);
@@ -1394,6 +1427,9 @@
case FOURCC('s', 't', 's', 'z'):
case FOURCC('s', 't', 'z', '2'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err =
mLastTrack->sampleTable->setSampleSizeParams(
chunk_type, data_offset, chunk_data_size);
@@ -1474,6 +1510,9 @@
case FOURCC('s', 't', 't', 's'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err =
mLastTrack->sampleTable->setTimeToSampleParams(
data_offset, chunk_data_size);
@@ -1488,6 +1527,9 @@
case FOURCC('c', 't', 't', 's'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err =
mLastTrack->sampleTable->setCompositionTimeToSampleParams(
data_offset, chunk_data_size);
@@ -1502,6 +1544,9 @@
case FOURCC('s', 't', 's', 's'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
status_t err =
mLastTrack->sampleTable->setSyncSampleParams(
data_offset, chunk_data_size);
@@ -1551,6 +1596,9 @@
case FOURCC('e', 's', 'd', 's'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
if (chunk_data_size < 4) {
return ERROR_MALFORMED;
}
@@ -1594,6 +1642,9 @@
case FOURCC('a', 'v', 'c', 'C'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
sp<ABuffer> buffer = new ABuffer(chunk_data_size);
if (buffer->data() == NULL) {
@@ -1615,6 +1666,9 @@
case FOURCC('d', '2', '6', '3'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
/*
* d263 contains a fixed 7 bytes part:
* vendor - 4 bytes
@@ -1770,6 +1824,9 @@
case FOURCC('t', 'x', '3', 'g'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
uint32_t type;
const void *data;
size_t size = 0;
@@ -1850,6 +1907,9 @@
case FOURCC('s', 'i', 'd', 'x'):
{
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
parseSegmentIndex(data_offset, chunk_data_size);
*offset += chunk_size;
return UNKNOWN_ERROR; // stop parsing after sidx
@@ -2212,6 +2272,9 @@
int32_t delay, padding;
if (sscanf(mLastCommentData,
" %*x %x %x %*x", &delay, &padding) == 2) {
+ if (mLastTrack == NULL) {
+ return ERROR_MALFORMED;
+ }
mLastTrack->meta->setInt32(kKeyEncoderDelay, delay);
mLastTrack->meta->setInt32(kKeyEncoderPadding, padding);
}