summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-05-04 18:36:35 -0500
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:02 +0200
commitc40f2dc30a7e33526460750e43325a947845b4fb (patch)
tree0d0417868b7190c730313f88cbcc97cf06fdb29e
parentdfaac4ee7320db3ae4b0149f262bd9f9d5397e96 (diff)
downloadframeworks_av-c40f2dc30a7e33526460750e43325a947845b4fb.zip
frameworks_av-c40f2dc30a7e33526460750e43325a947845b4fb.tar.gz
frameworks_av-c40f2dc30a7e33526460750e43325a947845b4fb.tar.bz2
Prevent integer overflow when processing covr MPEG4 atoms
If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur and cause an undersized buffer to be allocated. The following processing then overfills the resulting memory and creates a potentially exploitable condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp6
1 files changed, 5 insertions, 1 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 92135ea..0c6f74c 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1529,7 +1529,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
{
if (mFileMetaData != NULL) {
ALOGV("chunk_data_size = %lld and data_offset = %lld",
- chunk_data_size, data_offset);
+ (long long)chunk_data_size, (long long)data_offset);
+
+ if (chunk_data_size >= SIZE_MAX - 1) {
+ return ERROR_MALFORMED;
+ }
uint8_t *buffer = new uint8_t[chunk_data_size + 1];
if (mDataSource->readAt(
data_offset, buffer, chunk_data_size) != (ssize_t)chunk_data_size) {