diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:53:10 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-04-09 17:34:17 -0700 |
commit | 07c0f59d6c48874982d2b5c713487612e5af465a (patch) | |
tree | 2b2020300acb6954190a453080827ac252adcf46 /media | |
parent | c24607c29c96f939aed9e33bfa702b1dd79da4b7 (diff) | |
download | frameworks_av-07c0f59d6c48874982d2b5c713487612e5af465a.zip frameworks_av-07c0f59d6c48874982d2b5c713487612e5af465a.tar.gz frameworks_av-07c0f59d6c48874982d2b5c713487612e5af465a.tar.bz2 |
Fix integer underflow in ESDS processing
Several arithmetic operations within parseESDescriptor could underflow, leading
to an out-of-bounds read operation. Ensure that subtractions from 'size' do not
cause it to wrap around.
Bug: 20139950
Change-Id: I0d1b136ce68fd7c6f606ce66714bf644cfb2961c
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/ESDS.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp index 427bf7b..8fbb57c 100644 --- a/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/ESDS.cpp @@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { --size; if (streamDependenceFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; } @@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; + if (URLlength >= size) + return ERROR_MALFORMED; offset += URLlength + 1; size -= URLlength + 1; } if (OCRstreamFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; |