add trunksize as restriction for function parseClearEncryptedSizes()

Without trunksize as restriction, function parseClearEncryptedSized() can read the rest of file. If the file has a large number of saiz trunk, large number of bytes will be copied, which can lead to high cost of CPU time. Bug: 124777526 Test: please see #3 and #8 in bug report: push senc.mp4 to devices's sdcard open photo app manuly print log Change-Id: I854765c82d02d541b92f2658673aa4ce61fb5412 (cherry picked from commit aa15fefa185278a549fd72dd1b79ae73ca5e4436)
4 years ago · bce9a57e0f
parent 8f612b453b
commit bce9a57e0f
1 changed files with 28 additions and 7 deletions
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@ -160,8 +160,9 @@ private:
    status_t parseTrackFragmentRun(off64_t offset, off64_t size);
    status_t parseSampleAuxiliaryInformationSizes(off64_t offset, off64_t size);
    status_t parseSampleAuxiliaryInformationOffsets(off64_t offset, off64_t size);
-    status_t parseClearEncryptedSizes(off64_t offset, bool isSubsampleEncryption, uint32_t flags);
-    status_t parseSampleEncryption(off64_t offset);
+    status_t parseClearEncryptedSizes(
+        off64_t offset, bool isSubsampleEncryption, uint32_t flags, off64_t size);
+    status_t parseSampleEncryption(off64_t offset, off64_t size);
    // returns -1 for invalid layer ID
    int32_t parseHEVCLayerId(const uint8_t *data, size_t size);

@ -5188,7 +5189,7 @@ status_t MPEG4Source::parseChunk(off64_t *offset) {

        case FOURCC("senc"): {
            status_t err;
-            if ((err = parseSampleEncryption(data_offset)) != OK) {
+            if ((err = parseSampleEncryption(data_offset, chunk_data_size)) != OK) {
                return err;
            }
            *offset += chunk_size;
@ -5380,12 +5381,13 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(
    off64_t drmoffset = mCurrentSampleInfoOffsets[0]; // from moof

    drmoffset += mCurrentMoofOffset;
+    size -= mCurrentMoofOffset;

-    return parseClearEncryptedSizes(drmoffset, false, 0);
+    return parseClearEncryptedSizes(drmoffset, false, 0, size);
 }

 status_t MPEG4Source::parseClearEncryptedSizes(
-        off64_t offset, bool isSubsampleEncryption, uint32_t flags) {
+        off64_t offset, bool isSubsampleEncryption, uint32_t flags, off64_t size) {

    int32_t ivlength;
    if (!AMediaFormat_getInt32(mFormat, AMEDIAFORMAT_KEY_CRYPTO_DEFAULT_IV_SIZE, &ivlength)) {
@ -5400,10 +5402,14 @@ status_t MPEG4Source::parseClearEncryptedSizes(

    uint32_t sampleCount = mCurrentSampleInfoCount;
    if (isSubsampleEncryption) {
+        if(size < 4){
+            return ERROR_MALFORMED;
+        }
        if (!mDataSource->getUInt32(offset, &sampleCount)) {
            return ERROR_IO;
        }
        offset += 4;
+        size -= 4;
    }

    // read CencSampleAuxiliaryDataFormats
@ -5418,11 +5424,15 @@ status_t MPEG4Source::parseClearEncryptedSizes(
        }

        memset(smpl->iv, 0, 16);
+        if(size < ivlength){
+            return ERROR_MALFORMED;
+        }
        if (mDataSource->readAt(offset, smpl->iv, ivlength) != ivlength) {
            return ERROR_IO;
        }

        offset += ivlength;
+        size -= ivlength;

        bool readSubsamples;
        if (isSubsampleEncryption) {
@ -5437,13 +5447,20 @@ status_t MPEG4Source::parseClearEncryptedSizes(

        if (readSubsamples) {
            uint16_t numsubsamples;
+            if(size < 2){
+                return ERROR_MALFORMED;
+            }
            if (!mDataSource->getUInt16(offset, &numsubsamples)) {
                return ERROR_IO;
            }
            offset += 2;
+            size -= 2;
            for (size_t j = 0; j < numsubsamples; j++) {
                uint16_t numclear;
                uint32_t numencrypted;
+                if(size < 6){
+                    return ERROR_MALFORMED;
+                }
                if (!mDataSource->getUInt16(offset, &numclear)) {
                    return ERROR_IO;
                }
@ -5452,6 +5469,7 @@ status_t MPEG4Source::parseClearEncryptedSizes(
                    return ERROR_IO;
                }
                offset += 4;
+                size -= 6;
                smpl->clearsizes.add(numclear);
                smpl->encryptedsizes.add(numencrypted);
            }
@ -5464,12 +5482,15 @@ status_t MPEG4Source::parseClearEncryptedSizes(
    return OK;
 }

-status_t MPEG4Source::parseSampleEncryption(off64_t offset) {
+status_t MPEG4Source::parseSampleEncryption(off64_t offset, off64_t chunk_data_size) {
    uint32_t flags;
+    if(chunk_data_size < 4) {
+        return ERROR_MALFORMED;
+    }
    if (!mDataSource->getUInt32(offset, &flags)) { // actually version + flags
        return ERROR_MALFORMED;
    }
-    return parseClearEncryptedSizes(offset + 4, true, flags);
+    return parseClearEncryptedSizes(offset + 4, true, flags, chunk_data_size - 4);
 }

 status_t MPEG4Source::parseTrackFragmentHeader(off64_t offset, off64_t size) {