Fix multiple division-by-zero conditions in MPEG4 parsing
Several situations arise processing MP4 atoms that lead to undefined behavior
when dividing by zero. Typically this results in a crash (denial of service
condition).
NOTE: In most cases we simply avoid the division, leaving kKeyDuration unset.
It may be more desirable to bail out, as we do in the parseSegmentIndex case.
Bug: 20139950
Change-Id: I62e1b977f0e5ed0094094a55d300bac76b476c7b
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 6019a85..87d14b7 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1203,7 +1203,7 @@
duration = ntohl(duration32);
}
}
- if (duration != 0) {
+ if (duration != 0 && mLastTrack->timescale != 0) {
mLastTrack->meta->setInt64(
kKeyDuration, (duration * 1000000) / mLastTrack->timescale);
}
@@ -1817,7 +1817,7 @@
}
duration = d32;
}
- if (duration != 0) {
+ if (duration != 0 && mHeaderTimescale != 0) {
mFileMetaData->setInt64(kKeyDuration, duration * 1000000 / mHeaderTimescale);
}
@@ -1866,7 +1866,7 @@
return ERROR_MALFORMED;
}
- if (duration != 0) {
+ if (duration != 0 && mHeaderTimescale != 0) {
mFileMetaData->setInt64(kKeyDuration, duration * 1000000 / mHeaderTimescale);
}
@@ -2080,6 +2080,8 @@
return ERROR_MALFORMED;
}
ALOGV("sidx refid/timescale: %d/%d", referenceId, timeScale);
+ if (timeScale == 0)
+ return ERROR_MALFORMED;
uint64_t earliestPresentationTime;
uint64_t firstOffset;