Avoid parsing CC SEI payload beyond buffer end Break CC SEI parsing when payload size exceeds buffer size to avoid a CHECK that have been seen in MTBF statistics. Change-Id: Ifd97648678a935ac815dd616301d46f9bf583838

commit: 303a2c2b7c321947fa6032893de3ed8a3d6e93ee [log] [tgz]
author: Patrik2 Carlsson <patrik2.carlsson@sonymobile.com> Mon May 25 15:12:49 2015 +0200
committer: Takahiro Aizawa <takahiro.aizawa@sonymobile.com> Thu Nov 26 11:18:39 2015 +0900
tree: b813ef2344eda36671017ec8d94cd7afd6971581
parent: 2d772fd4afd1481a8cea5f59b890d771dbada2f6 [diff] [blame]
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
index ac3c6b6..2c07f28 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerCCDecoder.cpp

@@ -235,6 +235,12 @@
             payload_size += last_byte;
         } while (last_byte == 0xFF);
 
+        if (payload_size > SIZE_MAX / 8
+                || !br.atLeastNumBitsLeft(payload_size * 8)) {
+            ALOGV("Malformed SEI payload");
+            break;
+        }
+
         // sei_payload()
         if (payload_type == 4) {
             bool isCC = false;
commit	303a2c2b7c321947fa6032893de3ed8a3d6e93ee	[log] [tgz]
author	Patrik2 Carlsson <patrik2.carlsson@sonymobile.com>	Mon May 25 15:12:49 2015 +0200
committer	Takahiro Aizawa <takahiro.aizawa@sonymobile.com>	Thu Nov 26 11:18:39 2015 +0900
tree	b813ef2344eda36671017ec8d94cd7afd6971581
parent	2d772fd4afd1481a8cea5f59b890d771dbada2f6 [diff] [blame]