summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-05-04 17:14:11 -0500
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:02 +0200
commit28f82bc8d580a1e7ab2814cd0f75b47d42b2066c (patch)
treef72ba2589ee68e17338a0863fd772ab598a461ac /media
parentec6cff83536f54f1270a335e373caad76bdb8aa7 (diff)
downloadframeworks_av-28f82bc8d580a1e7ab2814cd0f75b47d42b2066c.zip
frameworks_av-28f82bc8d580a1e7ab2814cd0f75b47d42b2066c.tar.gz
frameworks_av-28f82bc8d580a1e7ab2814cd0f75b47d42b2066c.tar.bz2
Fix integer underflow in covr MPEG4 processing
When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an integer underflow can occur. This causes an extraordinarily large value to be passed to MetaData::setData, leading to a buffer overflow. Bug: 20923261 Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
Diffstat (limited to 'media')
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index ae592c4..28c41c4 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1550,6 +1550,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
return ERROR_IO;
}
const int kSkipBytesOfDataBox = 16;
+ if (chunk_data_size <= kSkipBytesOfDataBox) {
+ return ERROR_MALFORMED;
+ }
+
mFileMetaData->setData(
kKeyAlbumArt, MetaData::TYPE_NONE,
buffer + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);