Bug 1334971: P1. Properly handle invalid PPS. r?gerald
A PPS contains an id that is used as index inside an array. We must ensure that there's enough space in that array.
Also fix H264::DecodePPS which incorrectly always returned an error when parsing a valid PPS.
MozReview-Commit-ID: L1HUAdxWdu0
--- a/media/libstagefright/binding/H264.cpp
+++ b/media/libstagefright/binding/H264.cpp
@@ -748,19 +748,22 @@ H264::DecodePPSDataSetFromExtraData(cons
RefPtr<mozilla::MediaByteBuffer> pps = DecodeNALUnit(rawNAL);
if (!pps) {
return false;
}
PPSData ppsData;
- if(DecodePPS(pps, aSPSes, ppsData)) {
+ if (!DecodePPS(pps, aSPSes, ppsData)) {
return false;
}
+ if (ppsData.pic_parameter_set_id >= aDest.Length()) {
+ aDest.SetLength(ppsData.pic_parameter_set_id + 1);
+ }
aDest[ppsData.pic_parameter_set_id] = Move(ppsData);
}
return true;
}
/* static */ bool
H264::DecodePPS(const mozilla::MediaByteBuffer* aPPS, const SPSDataSet& aSPSes,
PPSData& aDest)
@@ -773,16 +776,20 @@ H264::DecodePPS(const mozilla::MediaByte
return false;
}
BitReader br(aPPS, GetBitLength(aPPS));
READUE(pic_parameter_set_id, MAX_PPS_COUNT - 1);
READUE(seq_parameter_set_id, MAX_SPS_COUNT - 1);
+ if (aDest.seq_parameter_set_id >= aSPSes.Length()) {
+ // Invalid SPS id.
+ return false;
+ }
const SPSData& sps = aSPSes[aDest.seq_parameter_set_id];
memcpy(aDest.scaling_matrix4x4, sps.scaling_matrix4x4,
sizeof(aDest.scaling_matrix4x4));
memcpy(aDest.scaling_matrix8x8, sps.scaling_matrix8x8,
sizeof(aDest.scaling_matrix8x8));
aDest.entropy_coding_mode_flag = br.ReadBit();