diff options
| author | Robert Shih <robertshih@google.com> | 2015-08-20 15:29:05 -0700 |
|---|---|---|
| committer | Steve Kondik <steve@cyngn.com> | 2016-03-22 17:14:35 -0700 |
| commit | 92742eb7af414d5818fd09fafddb6d6f79c0d9a9 (patch) | |
| tree | e40be9d6df003962887850c9dee35e628f69487a /media | |
| parent | 985e33c71917a8c7f3cc5bbb2bd0d1feb188c258 (diff) | |
| download | frameworks_av-92742eb7af414d5818fd09fafddb6d6f79c0d9a9.zip frameworks_av-92742eb7af414d5818fd09fafddb6d6f79c0d9a9.tar.gz frameworks_av-92742eb7af414d5818fd09fafddb6d6f79c0d9a9.tar.bz2 | |
OMXCodec: fix potential OOB read in parseHEVCCodecSpecificData
Bug: 23279597
Change-Id: Ibaa3d52e586e65230ec6df3680d9456ce873390c
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/OMXCodec.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp index abe19a0..7f97039 100644 --- a/media/libstagefright/OMXCodec.cpp +++ b/media/libstagefright/OMXCodec.cpp @@ -399,7 +399,7 @@ status_t OMXCodec::parseHEVCCodecSpecificData( const uint8_t *ptr = (const uint8_t *)data; // verify minimum size and configurationVersion == 1. - if (size < 7 || ptr[0] != 1) { + if (size < 23 || ptr[0] != 1) { return ERROR_MALFORMED; } @@ -414,6 +414,9 @@ status_t OMXCodec::parseHEVCCodecSpecificData( size -= 1; size_t j = 0, i = 0; for (i = 0; i < numofArrays; i++) { + if (size < 3) { + return ERROR_MALFORMED; + } ptr += 1; size -= 1; |