Limit mp4 atom size to something reasonable
Bug: 28615448
Change-Id: I5916f6839b4a9bbee4388a106e7373bcd4154f5a
(cherry picked from commit 7788f1213095ea8495e40cb4cba30bbe7b989118)
(cherry picked from commit 2fae4e4cb6b3039f28810e827de75b0612fadd83)
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 99a85f5..70a294c 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -55,6 +55,10 @@
enum {
// max track header chunk to return
kMaxTrackHeaderSize = 32,
+
+ // maximum size of an atom. Some atoms can be bigger according to the spec,
+ // but we only allow up to this size.
+ kMaxAtomSize = 64 * 1024 * 1024,
};
class MPEG4Source : public MediaSource {
@@ -880,6 +884,13 @@
ALOGE("b/23540914");
return ERROR_MALFORMED;
}
+ if (chunk_type != FOURCC('m', 'd', 'a', 't') && chunk_data_size > kMaxAtomSize) {
+ char errMsg[100];
+ sprintf(errMsg, "%s atom has size %" PRId64, chunk, chunk_data_size);
+ ALOGE("%s (b/28615448)", errMsg);
+ android_errorWriteWithInfoLog(0x534e4554, "28615448", -1, errMsg, strlen(errMsg));
+ return ERROR_MALFORMED;
+ }
if (chunk_type != FOURCC('c', 'p', 'r', 't')
&& chunk_type != FOURCC('c', 'o', 'v', 'r')