From 1ef49b8757f8aa3c0515e05a5c69d3b95a2d3416 Mon Sep 17 00:00:00 2001
From: Ray Essick <essick@google.com>
Date: Mon, 10 Apr 2023 14:15:52 -0500
Subject: Catch nullptr possibilities in MediaExtractor jni code

Detect and gracefully fail some missed cases where a null pointer can
occur in the MediaExtractor code.

Bug: 277614674
Test: CtsMediaExtractorTestCases w/debug messages
Change-Id: I4acb6dbbcf42391194555559ee7bd2612c776ece
---
 media/jni/android_media_MediaExtractor.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/media/jni/android_media_MediaExtractor.cpp b/media/jni/android_media_MediaExtractor.cpp
index 116237f6b998..609c7a40bb36 100644
--- a/media/jni/android_media_MediaExtractor.cpp
+++ b/media/jni/android_media_MediaExtractor.cpp
@@ -196,6 +196,15 @@ status_t JMediaExtractor::readSampleData(
         dstSize = (size_t) env->GetDirectBufferCapacity(byteBuf);
     }
 
+    // unlikely, but GetByteArrayElements() can fail
+    if (dst == nullptr) {
+        ALOGE("no buffer into which to read the data");
+        if (byteArray != NULL) {
+            env->ReleaseByteArrayElements(byteArray, (jbyte *)dst, 0);
+        }
+        return -ENOMEM;
+    }
+
     if (dstSize < offset) {
         if (byteArray != NULL) {
             env->ReleaseByteArrayElements(byteArray, (jbyte *)dst, 0);
@@ -204,8 +213,10 @@ status_t JMediaExtractor::readSampleData(
         return -ERANGE;
     }
 
+    // passes in the backing memory to use, so it doesn't fail
     sp<ABuffer> buffer = new ABuffer((char *)dst + offset, dstSize - offset);
 
+    buffer->setRange(0, 0);  // mark it empty
     status_t err = mImpl->readSampleData(buffer);
 
     if (byteArray != NULL) {
-- 
cgit v1.2.3-59-g8ed1b