diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-05-04 18:36:35 -0500 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2015-08-31 00:22:02 +0200 |
commit | c40f2dc30a7e33526460750e43325a947845b4fb (patch) | |
tree | 0d0417868b7190c730313f88cbcc97cf06fdb29e | |
parent | dfaac4ee7320db3ae4b0149f262bd9f9d5397e96 (diff) | |
download | frameworks_av-c40f2dc30a7e33526460750e43325a947845b4fb.zip frameworks_av-c40f2dc30a7e33526460750e43325a947845b4fb.tar.gz frameworks_av-c40f2dc30a7e33526460750e43325a947845b4fb.tar.bz2 |
Prevent integer overflow when processing covr MPEG4 atoms
If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.
Bug: 20923261
Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f
Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 92135ea..0c6f74c 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1529,7 +1529,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { { if (mFileMetaData != NULL) { ALOGV("chunk_data_size = %lld and data_offset = %lld", - chunk_data_size, data_offset); + (long long)chunk_data_size, (long long)data_offset); + + if (chunk_data_size >= SIZE_MAX - 1) { + return ERROR_MALFORMED; + } uint8_t *buffer = new uint8_t[chunk_data_size + 1]; if (mDataSource->readAt( data_offset, buffer, chunk_data_size) != (ssize_t)chunk_data_size) { |