diff options
author | Dan Austin <danielaustin@google.com> | 2015-10-16 12:22:09 -0700 |
---|---|---|
committer | Steve Kondik <steve@cyngn.com> | 2015-11-05 21:16:19 -0800 |
commit | a2d1b3c8b6cbb48e68728783471cfa2c7b75271c (patch) | |
tree | 31cd9015aa2c0b3ffd4c469f8a76479c3134339b /media | |
parent | 3e6ed1fd2d0e7bf45c1c97bc07db3905a3334f5d (diff) | |
download | frameworks_av-a2d1b3c8b6cbb48e68728783471cfa2c7b75271c.zip frameworks_av-a2d1b3c8b6cbb48e68728783471cfa2c7b75271c.tar.gz frameworks_av-a2d1b3c8b6cbb48e68728783471cfa2c7b75271c.tar.bz2 |
Fixed benign overflows triggered by tests CVE-2015-1538-1 and
CVE-2015-1538-2 in CTS.
Bug: 25016754
Change-Id: I0ceb2c799899015be6b37d5e94fe306d0037a8d2
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 97dff43..ff2c52e 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -194,11 +194,11 @@ status_t SampleTable::setChunkOffsetParams( mNumChunkOffsets = U32_AT(&header[4]); if (mChunkOffsetType == kChunkOffsetType32) { - if (data_size < 8 + mNumChunkOffsets * 4) { + if ((data_size - 8) / 4 < mNumChunkOffsets) { return ERROR_MALFORMED; } } else { - if (data_size < 8 + mNumChunkOffsets * 8) { + if ((data_size - 8) / 8 < mNumChunkOffsets) { return ERROR_MALFORMED; } } @@ -231,7 +231,7 @@ status_t SampleTable::setSampleToChunkParams( mNumSampleToChunkOffsets = U32_AT(&header[4]); - if (data_size < 8 + mNumSampleToChunkOffsets * 12) { + if ((data_size - 8) / 12 < mNumSampleToChunkOffsets) { return ERROR_MALFORMED; } @@ -245,6 +245,11 @@ status_t SampleTable::setSampleToChunkParams( for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; + + if (((SIZE_MAX / 12) - 8 - i) < mSampleToChunkOffset) { + return ERROR_MALFORMED; + } + if (mDataSource->readAt( mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer)) != (ssize_t)sizeof(buffer)) { @@ -386,7 +391,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( size_t numEntries = U32_AT(&header[4]); - if (data_size != (numEntries + 1) * 8) { + if (((SIZE_MAX / 8) - 1 < numEntries) || (data_size != (numEntries + 1) * 8)) { return ERROR_MALFORMED; } |