From f66ebe82bb0b47e7337dda102df354d5ab7d8dc9 Mon Sep 17 00:00:00 2001 From: KongQun Yang Date: Tue, 23 Dec 2014 12:10:23 -0800 Subject: [PATCH] Fix packager crash with corrupted media file The corrupted media file contains an invalid chunk offset box. Bug: 18411271 Change-Id: I3d7f51c3647134bd7d0846d0992e10e398784475 --- packager/media/base/offset_byte_queue.cc | 1 - packager/media/formats/mp4/mp4_media_parser.cc | 11 +++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/packager/media/base/offset_byte_queue.cc b/packager/media/base/offset_byte_queue.cc index 3e45dedcaa..96047ac90b 100644 --- a/packager/media/base/offset_byte_queue.cc +++ b/packager/media/base/offset_byte_queue.cc @@ -39,7 +39,6 @@ void OffsetByteQueue::Pop(int count) { } void OffsetByteQueue::PeekAt(int64_t offset, const uint8_t** buf, int* size) { - DCHECK_GE(offset, head()); if (offset < head() || offset >= tail()) { *buf = NULL; *size = 0; diff --git a/packager/media/formats/mp4/mp4_media_parser.cc b/packager/media/formats/mp4/mp4_media_parser.cc index 4601e1b4a4..25f40f538f 100644 --- a/packager/media/formats/mp4/mp4_media_parser.cc +++ b/packager/media/formats/mp4/mp4_media_parser.cc @@ -399,9 +399,16 @@ bool MP4MediaParser::EnqueueSample(bool* err) { return !*err; } - queue_.PeekAt(runs_->sample_offset() + moof_head_, &buf, &buf_size); - if (buf_size < runs_->sample_size()) + int64_t sample_offset = runs_->sample_offset() + moof_head_; + queue_.PeekAt(sample_offset, &buf, &buf_size); + if (buf_size < runs_->sample_size()) { + if (sample_offset < queue_.head()) { + LOG(ERROR) << "Incorrect sample offset " << sample_offset + << " < " << queue_.head(); + *err = true; + } return false; + } scoped_refptr stream_sample(MediaSample::CopyFrom( buf, runs_->sample_size(), runs_->is_keyframe()));