diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-05-04 17:57:24 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-05-07 20:27:31 -0700 |
commit | 9458e715d391ee8fe455fc31f07ff35ce12e0531 (patch) | |
tree | f5787de2ee60cc0a4d1bad91792ee4da6c8cf0a3 /media | |
parent | 3f4431e97376b8a315ad8862724e1e1fb34c9292 (diff) | |
download | frameworks_av-9458e715d391ee8fe455fc31f07ff35ce12e0531.zip frameworks_av-9458e715d391ee8fe455fc31f07ff35ce12e0531.tar.gz frameworks_av-9458e715d391ee8fe455fc31f07ff35ce12e0531.tar.bz2 |
Prevent integer underflow if size is below 6
When processing 3GPP metadata, a subtraction operation may underflow and
lead to a rather large linear byteswap operation in the subsequent
framedata decoding code. Bound the 'size' value to prevent this from
occurring.
Bug: 20923261
Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 6573afc..5d4d882 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2678,6 +2678,10 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept int len16 = 0; // Number of UTF-16 characters // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00 + if (size < 6) { + return ERROR_MALFORMED; + } + if (size - 6 >= 4) { len16 = ((size - 6) / 2) - 1; // don't include 0x0000 terminator framedata = (char16_t *)(buffer + 6); |