diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-05-04 17:14:11 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-05-07 20:25:05 -0700 |
commit | 97d45dbfdfc9018f1cbf72641c1447ff59431ae3 (patch) | |
tree | c067e108ec5aab67bf505d36b3b3e1299ef4ea4c /media | |
parent | 3f4431e97376b8a315ad8862724e1e1fb34c9292 (diff) | |
download | frameworks_av-97d45dbfdfc9018f1cbf72641c1447ff59431ae3.zip frameworks_av-97d45dbfdfc9018f1cbf72641c1447ff59431ae3.tar.gz frameworks_av-97d45dbfdfc9018f1cbf72641c1447ff59431ae3.tar.bz2 |
Fix integer underflow in covr MPEG4 processing
When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.
Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 6573afc..6a2d68a 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2022,6 +2022,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { return ERROR_IO; } const int kSkipBytesOfDataBox = 16; + if (chunk_data_size <= kSkipBytesOfDataBox) { + return ERROR_MALFORMED; + } + mFileMetaData->setData( kKeyAlbumArt, MetaData::TYPE_NONE, buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox); |