diff options
| author | Jeff Tinker <jtinker@google.com> | 2016-05-13 11:48:11 -0700 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-05-27 11:30:16 -0700 |
| commit | e248db02fbab2ee9162940bc19f087fd7d96cb9d (patch) | |
| tree | 62facf38819d5bbf83c4d888cb81844549443f79 /media/libstagefright | |
| parent | 60547808ca4e9cfac50028c00c58a6ceb2319301 (diff) | |
| download | frameworks_av-e248db02fbab2ee9162940bc19f087fd7d96cb9d.zip frameworks_av-e248db02fbab2ee9162940bc19f087fd7d96cb9d.tar.gz frameworks_av-e248db02fbab2ee9162940bc19f087fd7d96cb9d.tar.bz2 | |
Fix security vulnerability in libstagefright
bug: 28175045
Change-Id: Icee6c7eb5b761da4aa3e412fb71825508d74d38f
Diffstat (limited to 'media/libstagefright')
| -rw-r--r-- | media/libstagefright/DRMExtractor.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp index 9cb6e86..e2bc89c 100644 --- a/media/libstagefright/DRMExtractor.cpp +++ b/media/libstagefright/DRMExtractor.cpp @@ -200,7 +200,17 @@ status_t DRMSource::read(MediaBuffer **buffer, const ReadOptions *options) { continue; } - CHECK(dstOffset + 4 <= (*buffer)->size()); + if (dstOffset > SIZE_MAX - 4 || + dstOffset + 4 > SIZE_MAX - nalLength || + dstOffset + 4 + nalLength > (*buffer)->size()) { + (*buffer)->release(); + (*buffer) = NULL; + if (decryptedDrmBuffer.data) { + delete [] decryptedDrmBuffer.data; + decryptedDrmBuffer.data = NULL; + } + return ERROR_MALFORMED; + } dstData[dstOffset++] = 0; dstData[dstOffset++] = 0; |