Reject bad resolution for security issue BZ: IMINAN-51493 Fixes: 38180135 Test: adb shell stagefright /sdcard/mpeg2-1.mp4 Test: netflix, play movies, youtube Change-Id: Id20df74bb9957a472d7e412d257ebc1d27a2023e Signed-off-by: Austin Hu <austin.hu@intel.com> (cherry picked from commit 4216c5c686f07d42113c5779ecb911b1a944383b)

commit: c32764350c8f66fcb9e17cd1ba70869da68ea62a [log] [tgz]
author: Austin Hu <austin.hu@intel.com> Thu May 11 16:30:11 2017 +0800
committer: Daniel Cardenas <danielcar@google.com> Tue May 16 14:32:08 2017 -0700
tree: 39539b5ee6fea07664edd2680ebc003794c4a925
parent: 42162bacfad5d5b6cd58dad8d2a1f810ded8ca88 [diff]
diff --git a/videodecoder/VideoDecoderAVC.cpp b/videodecoder/VideoDecoderAVC.cpp index f0e047e..a9ddc8b 100644 --- a/videodecoder/VideoDecoderAVC.cpp +++ b/videodecoder/VideoDecoderAVC.cpp 
@@ -25,6 +25,9 @@  #define NW_CONSUMED 2  #define POC_DEFAULT 0x7FFFFFFF   +#define MAX_PICTURE_WIDTH_AVC 4096 +#define MAX_PICTURE_HEIGHT_AVC 4096 +  VideoDecoderAVC::VideoDecoderAVC(const char *mimeType)  : VideoDecoderBase(mimeType, VBP_H264),  mToggleDPB(0), @@ -65,6 +68,11 @@  status = VideoDecoderBase::parseBuffer(buffer->data, buffer->size, true, (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data->frame_width > MAX_PICTURE_WIDTH_AVC || + data->codec_data->frame_height > MAX_PICTURE_HEIGHT_AVC) { + return DECODE_INVALID_DATA; + } +  status = startVA(data);  return status;  } @@ -102,6 +110,11 @@  (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data->frame_width > MAX_PICTURE_WIDTH_AVC || + data->codec_data->frame_height > MAX_PICTURE_HEIGHT_AVC) { + return DECODE_INVALID_DATA; + } +  if (!mVAStarted) {  if (data->has_sps && data->has_pps) {  status = startVA(data); 
diff --git a/videodecoder/VideoDecoderMPEG2.cpp b/videodecoder/VideoDecoderMPEG2.cpp index 928ee9b..9d6a784 100644 --- a/videodecoder/VideoDecoderMPEG2.cpp +++ b/videodecoder/VideoDecoderMPEG2.cpp 
@@ -18,6 +18,9 @@  #include "VideoDecoderTrace.h"  #include <string.h>   +#define MAX_PICTURE_WIDTH_MPEG2 1920 +#define MAX_PICTURE_HEIGHT_MPEG2 1088 +  VideoDecoderMPEG2::VideoDecoderMPEG2(const char *mimeType)  : VideoDecoderBase(mimeType, VBP_MPEG2),  mBufferIDs(NULL), @@ -48,6 +51,11 @@  (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data->frame_width > MAX_PICTURE_WIDTH_MPEG2 || + data->codec_data->frame_height > MAX_PICTURE_HEIGHT_MPEG2) { + return DECODE_INVALID_DATA; + } +  status = startVA(data);  return status;  } @@ -85,6 +93,11 @@  (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data->frame_width > MAX_PICTURE_WIDTH_MPEG2 || + data->codec_data->frame_height > MAX_PICTURE_HEIGHT_MPEG2) { + return DECODE_INVALID_DATA; + } +  if (!mVAStarted) {  status = startVA(data);  CHECK_STATUS("startVA"); 
diff --git a/videodecoder/VideoDecoderMPEG4.cpp b/videodecoder/VideoDecoderMPEG4.cpp index 6472446..51543ab 100644 --- a/videodecoder/VideoDecoderMPEG4.cpp +++ b/videodecoder/VideoDecoderMPEG4.cpp 
@@ -18,6 +18,9 @@  #include "VideoDecoderTrace.h"  #include <string.h>   +#define MAX_PICTURE_WIDTH_MPEG4 1920 +#define MAX_PICTURE_HEIGHT_MPEG4 1088 +  VideoDecoderMPEG4::VideoDecoderMPEG4(const char *mimeType)  : VideoDecoderBase(mimeType, VBP_MPEG4),  mLastVOPTimeIncrement(0), @@ -46,6 +49,11 @@  status = VideoDecoderBase::parseBuffer(buffer->data, buffer->size, true, (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data.video_object_layer_width > MAX_PICTURE_WIDTH_MPEG4 || + data->codec_data.video_object_layer_height > MAX_PICTURE_HEIGHT_MPEG4) { + return DECODE_INVALID_DATA; + } +  status = startVA(data);  return status;  } @@ -80,6 +88,11 @@  (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data.video_object_layer_width > MAX_PICTURE_WIDTH_MPEG4 || + data->codec_data.video_object_layer_height > MAX_PICTURE_HEIGHT_MPEG4) { + return DECODE_INVALID_DATA; + } +  if (!mVAStarted) {  status = startVA(data);  CHECK_STATUS("startVA"); 
diff --git a/videodecoder/VideoDecoderVP8.cpp b/videodecoder/VideoDecoderVP8.cpp index ab561da..a3d700a 100644 --- a/videodecoder/VideoDecoderVP8.cpp +++ b/videodecoder/VideoDecoderVP8.cpp 
@@ -18,6 +18,9 @@  #include "VideoDecoderTrace.h"  #include <string.h>   +#define MAX_PICTURE_WIDTH_VP8 1920 +#define MAX_PICTURE_HEIGHT_VP8 1088 +  VideoDecoderVP8::VideoDecoderVP8(const char *mimeType)  : VideoDecoderBase(mimeType, VBP_VP8) {  invalidateReferenceFrames(0); @@ -132,6 +135,11 @@  status = VideoDecoderBase::parseBuffer(buffer->data, buffer->size, true, (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data->frame_width > MAX_PICTURE_WIDTH_VP8 || + data->codec_data->frame_height > MAX_PICTURE_HEIGHT_VP8) { + return DECODE_INVALID_DATA; + } +  status = startVA(data);  return status;  } @@ -165,6 +173,11 @@  (void**)&data);  CHECK_STATUS("VideoDecoderBase::parseBuffer");   + if (data->codec_data->frame_width > MAX_PICTURE_WIDTH_VP8 || + data->codec_data->frame_height > MAX_PICTURE_HEIGHT_VP8) { + return DECODE_INVALID_DATA; + } +  mShowFrame = data->codec_data->show_frame;    if (!mVAStarted) { 
diff --git a/videodecoder/VideoDecoderWMV.cpp b/videodecoder/VideoDecoderWMV.cpp index 88b09b3..bd55888 100644 --- a/videodecoder/VideoDecoderWMV.cpp +++ b/videodecoder/VideoDecoderWMV.cpp 
@@ -18,6 +18,9 @@  #include "VideoDecoderTrace.h"  #include <string.h>   +#define MAX_PICTURE_WIDTH_VC1 1920 +#define MAX_PICTURE_HEIGHT_VC1 1088 +  VideoDecoderWMV::VideoDecoderWMV(const char *mimeType)  : VideoDecoderBase(mimeType, VBP_VC1),  mBufferIDs(NULL), @@ -49,6 +52,11 @@  status = parseBuffer(buffer->data, buffer->size, &data);  CHECK_STATUS("parseBuffer");   + if (data->se_data->CODED_WIDTH > MAX_PICTURE_WIDTH_VC1 || + data->se_data->CODED_HEIGHT > MAX_PICTURE_HEIGHT_VC1) { + return DECODE_INVALID_DATA; + } +  status = startVA(data);  return status;  } @@ -89,6 +97,11 @@  status = parseBuffer(buffer->data, buffer->size, &data);  CHECK_STATUS("parseBuffer");   + if (data->se_data->CODED_WIDTH > MAX_PICTURE_WIDTH_VC1 || + data->se_data->CODED_HEIGHT > MAX_PICTURE_HEIGHT_VC1) { + return DECODE_INVALID_DATA; + } +  if (!mVAStarted) {  status = startVA(data);  CHECK_STATUS("startVA");
commit	c32764350c8f66fcb9e17cd1ba70869da68ea62a	[log] [tgz]
author	Austin Hu <austin.hu@intel.com>	Thu May 11 16:30:11 2017 +0800
committer	Daniel Cardenas <danielcar@google.com>	Tue May 16 14:32:08 2017 -0700
tree	39539b5ee6fea07664edd2680ebc003794c4a925
parent	42162bacfad5d5b6cd58dad8d2a1f810ded8ca88 [diff]