Better size validation when parsing httplive/aac headers.

ensure no underflow when pulling header from front of AAC packet. Indicate malformed error in parent routine if we don't have the expected header data. Bug: 128433933 Test: y
5 years ago · 076443f630
parent b9df1597c7
commit 076443f630
2 changed files with 9 additions and 1 deletions
--- a/media/libstagefright/httplive/PlaylistFetcher.cpp
+++ b/media/libstagefright/httplive/PlaylistFetcher.cpp
@ -2125,7 +2125,10 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits(
    size_t offset = 0;
    while (offset < buffer->size()) {
        const uint8_t *adtsHeader = buffer->data() + offset;
-        CHECK_LT(offset + 5, buffer->size());
+        if (buffer->size() <= offset+5) {
+            ALOGV("buffer does not contain a complete header");
+            return ERROR_MALFORMED;
+        }
        // non-const pointer for decryption if needed
        uint8_t *adtsFrame = buffer->data() + offset;

--- a/media/libstagefright/mpeg2ts/HlsSampleDecryptor.cpp
+++ b/media/libstagefright/mpeg2ts/HlsSampleDecryptor.cpp
@ -149,6 +149,11 @@ void HlsSampleDecryptor::processAAC(size_t adtsHdrSize, uint8_t *data, size_t si
    }

    // ADTS header is included in the size
+    if (size < adtsHdrSize) {
+        ALOGV("processAAC: size (%zu) < adtsHdrSize (%zu)", size, adtsHdrSize);
+        android_errorWriteLog(0x534e4554, "128433933");
+        return;
+    }
    size_t offset = adtsHdrSize;
    size_t remainingBytes = size - adtsHdrSize;