Merge "Fix potential overflow in WAV extractor" into oc-dev

commit: e2b1c22fe82b55f4c6ea1131e1a621034da24733 [log] [tgz]
author: Marco Nelissen <marcone@google.com> Tue Nov 10 00:11:18 2020 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Tue Nov 10 00:11:18 2020 +0000
tree: 9790dda471787d34336afbaa55cdb2ec7b9d8edf
parent: 91fed774acc81072616a39b353ca930563de90e3 [diff]
parent: 7e151103ca63ee6c864824cc90f4ecb102cbc91e [diff]
diff --git a/media/libstagefright/mpeg2ts/ESQueue.cpp b/media/libstagefright/mpeg2ts/ESQueue.cpp
index 11f3ed1..25fd529 100644
--- a/media/libstagefright/mpeg2ts/ESQueue.cpp
+++ b/media/libstagefright/mpeg2ts/ESQueue.cpp

@@ -1119,7 +1119,13 @@
                 if (mSampleDecryptor != NULL && (nalType == 1 || nalType == 5)) {
                     uint8_t *nalData = mBuffer->data() + pos.nalOffset;
                     size_t newSize = mSampleDecryptor->processNal(nalData, pos.nalSize);
-                    // Note: the data can shrink due to unescaping
+                    // Note: the data can shrink due to unescaping, but it can never grow
+                    if (newSize > pos.nalSize) {
+                        // don't log unless verbose, since this can get called a lot if
+                        // the caller is trying to resynchronize
+                        ALOGV("expected sample size < %u, got %zu", pos.nalSize, newSize);
+                        return NULL;
+                    }
                     memcpy(accessUnit->data() + dstOffset + 4,
                             nalData,
                             newSize);
commit	e2b1c22fe82b55f4c6ea1131e1a621034da24733	[log] [tgz]
author	Marco Nelissen <marcone@google.com>	Tue Nov 10 00:11:18 2020 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Tue Nov 10 00:11:18 2020 +0000
tree	9790dda471787d34336afbaa55cdb2ec7b9d8edf
parent	91fed774acc81072616a39b353ca930563de90e3 [diff]
parent	7e151103ca63ee6c864824cc90f4ecb102cbc91e [diff]