From e3b0877212dacc0b3e65fce1d4ee4352e8ed9fb3 Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Wed, 8 Apr 2015 23:53:10 -0500 Subject: Fix integer underflow in ESDS processing Several arithmetic operations within parseESDescriptor could underflow, leading to an out-of-bounds read operation. Ensure that subtractions from 'size' do not cause it to wrap around. Bug: 20139950 Change-Id: Ie987c58e49323ff273fd57db410534fa83db1cb2 Signed-off-by: Joshua J. Drake Tested-by: Moritz Bandemer --- media/libstagefright/ESDS.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp index 4a0c35c..c76bc4a 100644 --- a/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/ESDS.cpp @@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { --size; if (streamDependenceFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; } @@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; + if (URLlength >= size) + return ERROR_MALFORMED; offset += URLlength + 1; size -= URLlength + 1; } if (OCRstreamFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; -- cgit v1.1