Prevent spinning in parseSps on bad loop values

parseUEWithFallback could return garbabe values for malformed streams, bail out early if this happens. bug: 124253062 test: poc attached in bug, shouldn't see high cpu usage in Photos Change-Id: I7664384038d100dc55f6e35fbf79cd09ebc204e3
5 years ago · b420379f72
parent 2b2a2c2d5e
commit b420379f72
1 changed files with 9 additions and 0 deletions
--- a/media/libstagefright/HevcUtils.cpp
+++ b/media/libstagefright/HevcUtils.cpp
@ -312,14 +312,23 @@ status_t HevcParameterSets::parseSps(const uint8_t* data, size_t size) {
            for (uint32_t j = 0; j < numPics; ++j) {
                skipUE(&reader); // delta_poc_s0|1_minus1[i]
                reader.skipBits(1); // used_by_curr_pic_s0|1_flag[i]
+                if (reader.overRead()) {
+                    return ERROR_MALFORMED;
+                }
            }
        }
+        if (reader.overRead()) {
+            return ERROR_MALFORMED;
+        }
    }
    if (reader.getBitsWithFallback(1, 0)) { // long_term_ref_pics_present_flag
        uint32_t numLongTermRefPicSps = parseUEWithFallback(&reader, 0);
        for (uint32_t i = 0; i < numLongTermRefPicSps; ++i) {
            reader.skipBits(log2MaxPicOrderCntLsb); // lt_ref_pic_poc_lsb_sps[i]
            reader.skipBits(1); // used_by_curr_pic_lt_sps_flag[i]
+            if (reader.overRead()) {
+                return ERROR_MALFORMED;
+            }
        }
    }
    reader.skipBits(1); // sps_temporal_mvp_enabled_flag