am 79c896ea: am 26b7dfcf: am 0bde48f5: am 99a1a6a7: am e6ca5b2d: am 566c70ca: Guard against codecinfo overflow

* commit '79c896eab1626cc91d7d1942476e445e5a788239': Guard against codecinfo overflow
author: Marco Nelissen <marcone@google.com> 2015-08-05 18:28:32 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-08-05 18:28:32 +0000
commit: 4a10bddeee36039fbb915b35d0c7f9536446558c (patch)
tree: bdeef5ef549560aa56cc617d989eccad6457b6c9 /media
parent: f18cce444091d40386fce32ebfdf6b130d07b131 (diff)
parent: 79c896eab1626cc91d7d1942476e445e5a788239 (diff)
download: frameworks_av-4a10bddeee36039fbb915b35d0c7f9536446558c.zip
frameworks_av-4a10bddeee36039fbb915b35d0c7f9536446558c.tar.gz
frameworks_av-4a10bddeee36039fbb915b35d0c7f9536446558c.tar.bz2
2 files changed, 20 insertions, 2 deletions
diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp
index 74234a6..7d867b7 100644
--- a/media/libstagefright/MetaData.cpp
+++ b/media/libstagefright/MetaData.cpp
@@ -272,7 +272,12 @@ void MetaData::typed_data::setData(
 
     mType = type;
     allocateStorage(size);
-    memcpy(storage(), data, size);
+    void *dst = storage();
+    if (!dst) {
+        ALOGE("Couldn't allocate %zu bytes for item", size);
+        return;
+    }
+    memcpy(dst, data, size);
 }
 
 void MetaData::typed_data::getData(
diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp
index 0712bf0..54f875b 100644
--- a/media/libstagefright/matroska/MatroskaExtractor.cpp
+++ b/media/libstagefright/matroska/MatroskaExtractor.cpp
@@ -865,25 +865,38 @@ status_t addVorbisCodecInfo(
     size_t offset = 1;
     size_t len1 = 0;
     while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
+        if (len1 > (SIZE_MAX - 0xff)) {
+            return ERROR_MALFORMED; // would overflow
+        }
         len1 += 0xff;
         ++offset;
     }
     if (offset >= codecPrivateSize) {
         return ERROR_MALFORMED;
     }
+    if (len1 > (SIZE_MAX - codecPrivate[offset])) {
+        return ERROR_MALFORMED; // would overflow
+    }
     len1 += codecPrivate[offset++];
 
     size_t len2 = 0;
     while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
+        if (len2 > (SIZE_MAX - 0xff)) {
+            return ERROR_MALFORMED; // would overflow
+        }
         len2 += 0xff;
         ++offset;
     }
     if (offset >= codecPrivateSize) {
         return ERROR_MALFORMED;
     }
+    if (len2 > (SIZE_MAX - codecPrivate[offset])) {
+        return ERROR_MALFORMED; // would overflow
+    }
     len2 += codecPrivate[offset++];
 
-    if (codecPrivateSize < offset + len1 + len2) {
+    if (len1 > SIZE_MAX - len2 || offset > SIZE_MAX - (len1 + len2) ||
+            codecPrivateSize < offset + len1 + len2) {
         return ERROR_MALFORMED;
     }
author	Marco Nelissen <marcone@google.com>	2015-08-05 18:28:32 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-08-05 18:28:32 +0000
commit	4a10bddeee36039fbb915b35d0c7f9536446558c (patch)
tree	bdeef5ef549560aa56cc617d989eccad6457b6c9 /media
parent	f18cce444091d40386fce32ebfdf6b130d07b131 (diff)
parent	79c896eab1626cc91d7d1942476e445e5a788239 (diff)
download	frameworks_av-4a10bddeee36039fbb915b35d0c7f9536446558c.zip frameworks_av-4a10bddeee36039fbb915b35d0c7f9536446558c.tar.gz frameworks_av-4a10bddeee36039fbb915b35d0c7f9536446558c.tar.bz2