Bug 1066319 - Reject mp4 files with unreasonable sample sizes. r=ajones

Don't believe the Sample Size Box if it declares too large a value. The limit is four times the fallback voodoo constant for 1080p in the stsz parser, to support UHD but not 8k video, per current limits elsewhere.
2024-09-13 09:24:08 -07:00 · 2014-09-13 10:24:00 -07:00 · 2014-09-13 10:24:00 -07:00 · 1747850822
commit 1747850822
parent 5737880385
2 changed files with 25 additions and 2 deletions
--- a/media/libstagefright/binding/mp4_demuxer.cpp
+++ b/media/libstagefright/binding/mp4_demuxer.cpp
@ -102,13 +102,17 @@ MP4Demuxer::Init()

    if (!mPrivate->mAudio.get() && !strncmp(mimeType, "audio/", 6)) {
      mPrivate->mAudio = e->getTrack(i);
-      mPrivate->mAudio->start();
+      if (mPrivate->mAudio->start() != OK) {
+        return false;
+      }
      mAudioConfig.Update(metaData, mimeType);
      mPrivate->mIndexes.AppendElement(new Index(
        mPrivate->mAudio->exportIndex(), mSource, mAudioConfig.mTrackId));
    } else if (!mPrivate->mVideo.get() && !strncmp(mimeType, "video/", 6)) {
      mPrivate->mVideo = e->getTrack(i);
-      mPrivate->mVideo->start();
+      if (mPrivate->mVideo->start() != OK) {
+        return false;
+      }
      mVideoConfig.Update(metaData, mimeType);
      mPrivate->mIndexes.AppendElement(new Index(
        mPrivate->mVideo->exportIndex(), mSource, mVideoConfig.mTrackId));
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@ -2428,6 +2428,13 @@ MPEG4Source::~MPEG4Source() {
    free(mCurrentSampleInfoOffsets);
 }

+static bool ValidInputSize(int32_t size) {
+  // Reject compressed samples larger than an uncompressed UHD
+  // frame. This is a reasonable cut-off for a lossy codec,
+  // combined with the current Firefox limit to 5k video.
+  return (size > 0 && size < 4 * (1920 * 1080) * 3 / 2);
+}
+
 status_t MPEG4Source::start(MetaData *params) {
    Mutex::Autolock autoLock(mLock);

@ -2443,6 +2450,10 @@ status_t MPEG4Source::start(MetaData *params) {

    int32_t max_size;
    CHECK(mFormat->findInt32(kKeyMaxInputSize, &max_size));
+    if (!ValidInputSize(max_size)) {
+      ALOGE("Invalid max input size %d", max_size);
+      return ERROR_MALFORMED;
+    }

    mSrcBuffer = new uint8_t[max_size];

@ -3225,6 +3236,10 @@ status_t MPEG4Source::read(

        int32_t max_size;
        CHECK(mFormat->findInt32(kKeyMaxInputSize, &max_size));
+        if (!ValidInputSize(max_size)) {
+          ALOGE("Invalid max input size %d", max_size);
+          return ERROR_MALFORMED;
+        }
        mBuffer = new MediaBuffer(max_size);
        assert(mBuffer);
    }
@ -3507,6 +3522,10 @@ status_t MPEG4Source::fragmentedRead(

        int32_t max_size;
        CHECK(mFormat->findInt32(kKeyMaxInputSize, &max_size));
+        if (!ValidInputSize(max_size)) {
+          ALOGE("Invalid max input size %d", max_size);
+          return ERROR_MALFORMED;
+        }
        mBuffer = new MediaBuffer(max_size);
        assert(mBuffer);
    }