diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-05-04 17:57:24 -0500 |
---|---|---|
committer | Wei Jia <wjia@google.com> | 2015-06-03 23:25:42 +0000 |
commit | 4d8ed149894eff1e21195a29d939f2ec389fe5d7 (patch) | |
tree | 3cbd28fab003a51ee63cefcdcb8e53c50882a684 | |
parent | 375e349556baa6a8ea59e963c33824e9063a0eca (diff) | |
download | frameworks_av-4d8ed149894eff1e21195a29d939f2ec389fe5d7.zip frameworks_av-4d8ed149894eff1e21195a29d939f2ec389fe5d7.tar.gz frameworks_av-4d8ed149894eff1e21195a29d939f2ec389fe5d7.tar.bz2 |
Prevent integer underflow if size is below 6
When processing 3GPP metadata, a subtraction operation may underflow and
lead to a rather large linear byteswap operation in the subsequent
framedata decoding code. Bound the 'size' value to prevent this from
occurring.
Bug: 20923261
Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5
(cherry picked from commit 9458e715d391ee8fe455fc31f07ff35ce12e0531)
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 080dcd1..e74d9a6 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2468,6 +2468,10 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept int len16 = 0; // Number of UTF-16 characters // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00 + if (size < 6) { + return ERROR_MALFORMED; + } + if (size - 6 >= 4) { len16 = ((size - 6) / 2) - 1; // don't include 0x0000 terminator framedata = (char16_t *)(buffer + 6); |