summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-04-08 23:53:10 -0500
committerNick Kralevich <nnk@google.com>2015-04-09 17:34:17 -0700
commit07c0f59d6c48874982d2b5c713487612e5af465a (patch)
tree2b2020300acb6954190a453080827ac252adcf46 /media
parentc24607c29c96f939aed9e33bfa702b1dd79da4b7 (diff)
downloadframeworks_av-07c0f59d6c48874982d2b5c713487612e5af465a.zip
frameworks_av-07c0f59d6c48874982d2b5c713487612e5af465a.tar.gz
frameworks_av-07c0f59d6c48874982d2b5c713487612e5af465a.tar.bz2
Fix integer underflow in ESDS processing
Several arithmetic operations within parseESDescriptor could underflow, leading to an out-of-bounds read operation. Ensure that subtractions from 'size' do not cause it to wrap around. Bug: 20139950 Change-Id: I0d1b136ce68fd7c6f606ce66714bf644cfb2961c
Diffstat (limited to 'media')
-rw-r--r--media/libstagefright/ESDS.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp
index 427bf7b..8fbb57c 100644
--- a/media/libstagefright/ESDS.cpp
+++ b/media/libstagefright/ESDS.cpp
@@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) {
--size;
if (streamDependenceFlag) {
+ if (size < 2)
+ return ERROR_MALFORMED;
offset += 2;
size -= 2;
}
@@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) {
return ERROR_MALFORMED;
}
unsigned URLlength = mData[offset];
+ if (URLlength >= size)
+ return ERROR_MALFORMED;
offset += URLlength + 1;
size -= URLlength + 1;
}
if (OCRstreamFlag) {
+ if (size < 2)
+ return ERROR_MALFORMED;
offset += 2;
size -= 2;
generated by cgit v1.1 at 2024-05-02 07:04:03 +0000