summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorRay Essick <essick@google.com>2016-07-06 10:13:25 -0700
committergitbuildkicker <android-build@google.com>2016-08-16 15:51:48 -0700
commite9ef8505a1a33667ef97b752f77190c24b468015 (patch)
treef5e753c5679024b0f2b19de5039b931fb661dbdb /media
parente441275efea14a98d5a059328e660d9a08b13932 (diff)
downloadframeworks_av-e9ef8505a1a33667ef97b752f77190c24b468015.zip
frameworks_av-e9ef8505a1a33667ef97b752f77190c24b468015.tar.gz
frameworks_av-e9ef8505a1a33667ef97b752f77190c24b468015.tar.bz2
Fix corruption via buffer overflow in mediaserver
change unbound sprintf() to snprintf() so network-provided values can't overflow the buffers. Applicable to all K/L/M/N branches. Bug: 25747670 Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6
Diffstat (limited to 'media')
-rw-r--r--media/libstagefright/rtsp/ASessionDescription.cpp14
1 files changed, 9 insertions, 5 deletions
diff --git a/media/libstagefright/rtsp/ASessionDescription.cpp b/media/libstagefright/rtsp/ASessionDescription.cpp
index 98498e9..47573c3 100644
--- a/media/libstagefright/rtsp/ASessionDescription.cpp
+++ b/media/libstagefright/rtsp/ASessionDescription.cpp
@@ -17,6 +17,7 @@
//#define LOG_NDEBUG 0
#define LOG_TAG "ASessionDescription"
#include <utils/Log.h>
+#include <cutils/log.h>
#include "ASessionDescription.h"
@@ -211,12 +212,12 @@ void ASessionDescription::getFormatType(
*PT = x;
- char key[20];
- sprintf(key, "a=rtpmap:%lu", x);
+ char key[32];
+ snprintf(key, sizeof(key), "a=rtpmap:%lu", x);
CHECK(findAttribute(index, key, desc));
- sprintf(key, "a=fmtp:%lu", x);
+ snprintf(key, sizeof(key), "a=fmtp:%lu", x);
if (!findAttribute(index, key, params)) {
params->clear();
}
@@ -228,8 +229,11 @@ bool ASessionDescription::getDimensions(
*width = 0;
*height = 0;
- char key[20];
- sprintf(key, "a=framesize:%lu", PT);
+ char key[33];
+ snprintf(key, sizeof(key), "a=framesize:%lu", PT);
+ if (PT > 9999999) {
+ android_errorWriteLog(0x534e4554, "25747670");
+ }
AString value;
if (!findAttribute(index, key, &value)) {
return false;