diff options
| author | Sungtak Lee <taklee@google.com> | 2018-08-07 18:01:50 -0700 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-11-02 19:14:21 +0000 |
| commit | de50404e4b8b3c4a6377416abc6736f7b25c4a73 (patch) | |
| tree | 9461c71b18c9b416d05f36a599895a2778f91c8e | |
| parent | db3b4e6b765d3cbb509bbc99e97f88f251634a66 (diff) | |
| download | av-de50404e4b8b3c4a6377416abc6736f7b25c4a73.tar.gz | |
NuPlayer2CCDecoder: Add bound check before memcpy
Test: none
Bug: 111874331
Change-Id: I6764802e8e8afd7e970ee433741f73a9b3d366dd
(cherry picked from commit 71920217d6017a5112ecd73abc4e68c16d680458)
(cherry picked from commit e96c64a0d21d1ab2c9ba9726766fd8432462888a)
| -rw-r--r-- | media/libmediaplayer2/nuplayer2/NuPlayer2CCDecoder.cpp | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/media/libmediaplayer2/nuplayer2/NuPlayer2CCDecoder.cpp b/media/libmediaplayer2/nuplayer2/NuPlayer2CCDecoder.cpp index e48e388234..e2159659f5 100644 --- a/media/libmediaplayer2/nuplayer2/NuPlayer2CCDecoder.cpp +++ b/media/libmediaplayer2/nuplayer2/NuPlayer2CCDecoder.cpp @@ -372,10 +372,16 @@ bool NuPlayer2::CCDecoder::parseMPEGCCData(int64_t timeUs, const uint8_t *data, timeUs, mDTVCCPacket->data(), mDTVCCPacket->size()); mDTVCCPacket->setRange(0, 0); } + if (mDTVCCPacket->size() + 2 > mDTVCCPacket->capacity()) { + return false; + } memcpy(mDTVCCPacket->data() + mDTVCCPacket->size(), br.data(), 2); mDTVCCPacket->setRange(0, mDTVCCPacket->size() + 2); br.skipBits(16); } else if (mDTVCCPacket->size() > 0 && cc_type == 2) { + if (mDTVCCPacket->size() + 2 > mDTVCCPacket->capacity()) { + return false; + } memcpy(mDTVCCPacket->data() + mDTVCCPacket->size(), br.data(), 2); mDTVCCPacket->setRange(0, mDTVCCPacket->size() + 2); br.skipBits(16); @@ -403,6 +409,9 @@ bool NuPlayer2::CCDecoder::parseMPEGCCData(int64_t timeUs, const uint8_t *data, line21CCBuf = new ABuffer((cc_count - i) * sizeof(CCData)); line21CCBuf->setRange(0, 0); } + if (line21CCBuf->size() + sizeof(cc) > line21CCBuf->capacity()) { + return false; + } memcpy(line21CCBuf->data() + line21CCBuf->size(), &cc, sizeof(cc)); line21CCBuf->setRange(0, line21CCBuf->size() + sizeof(CCData)); } @@ -464,6 +473,9 @@ bool NuPlayer2::CCDecoder::parseDTVCCPacket(int64_t timeUs, const uint8_t *data, size_t trackIndex = getTrackIndex(kTrackTypeCEA708, service_number, &trackAdded); if (mSelectedTrack == (ssize_t)trackIndex) { sp<ABuffer> ccPacket = new ABuffer(block_size); + if (ccPacket->capacity() == 0) { + return false; + } memcpy(ccPacket->data(), br.data(), block_size); mCCMap.add(timeUs, ccPacket); } @@ -527,10 +539,12 @@ void NuPlayer2::CCDecoder::display(int64_t timeUs) { ccBuf = new ABuffer(size); ccBuf->setRange(0, 0); - for (ssize_t i = 0; i <= index; ++i) { - sp<ABuffer> buf = mCCMap.valueAt(i); - memcpy(ccBuf->data() + ccBuf->size(), buf->data(), buf->size()); - ccBuf->setRange(0, ccBuf->size() + buf->size()); + if (ccBuf->capacity() > 0) { + for (ssize_t i = 0; i <= index; ++i) { + sp<ABuffer> buf = mCCMap.valueAt(i); + memcpy(ccBuf->data() + ccBuf->size(), buf->data(), buf->size()); + ccBuf->setRange(0, ccBuf->size() + buf->size()); + } } } |