| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| | | | | | |/ /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Bug: 22388975
Change-Id: I3c157b1029d37f6a22e6302ea7b52077fe27ce53
(cherry picked from commit 529c595b083f8a4c3175e2350fba5547e6008e00)
|
| |\ \ \ \ \ \ \
| | |/ / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
74d3170f: Merge "Fix comparison sign warnings." into klp-dev
* commit '4f0ff02b159892bfa5d3d298efc165e96f93288b':
Fix comparison sign warnings.
|
| | |\ \ \ \ \ \
| | | |/ / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
sign warnings." into klp-dev
* commit '3175ff3f343ecd85700e2029d7709ce960272967':
Fix comparison sign warnings.
|
| | | |\ \ \ \ \
| | | | |/ / / /
| | | | | | | |
| | | | | | | |
| | | | | | | | |
* commit '652926c8a37fb904aaa0756a0d0bae0574f308c5':
Fix comparison sign warnings.
|
| | | | |\ \ \ \
| | | | | |/ / /
| | | | | | | |
| | | | | | | |
| | | | | | | | |
* commit '74d3170ffc02620fcedb5a98c7a66e83ee2faa87':
Fix comparison sign warnings.
|
| | | | | |/ /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Bug:23213430
Change-Id: I6f2e2b03b968a569b122004b4803c5d17fccfb12
(cherry picked from commit 635bc8f90429b2fdcaf7f8d43f7f59bcd0fe951c)
|
| | | | |\ \ \
| | | | | |/ /
| | | | | | |
| | | | | | | |
Change-Id: I127912aed9c9e57a985c46bee13d111e159d2c6f
|
| | | | | |\ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
186d1fb9: am f4dfe12e: am 54d88fe2: am aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '9d9491f9fb83523cfe68f2aa26c14f72f70812fc':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| | | | | | |\ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
54d88fe2: am aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit 'c99244105803ac32f4cc698b5b2a85b225d925a2':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| | | | | | | |\ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
aa8dab77: Merge "MPEG4Extractor.cpp: Add check for size == SIZE_MAX" into jb-dev
* commit '2fe61ed032e083dc39265f3b88274fcb8fbeed9b':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| | | | | | | | |\ \
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
SIZE_MAX" into jb-dev
* commit '54d88fe2f17b1c5c6e4d0d1d1e36089fea3a1df0':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| | | | | | | | | |\ \ |
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
If size == SIZE_MAX, the line:
uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
ends up allocating zero bytes, which is obviously incorrect.
This is conceptually a cherrypick of commit
b2d33aee5122c91a59c2a676c0b89ad340232450 , but specifically for
Android 4.1 through Android 4.4. In Android 5.0, new code
was introduced which caused the function parseMetaData()
to be renamed.
Bug: 23031033
Change-Id: Ib34e740f3292a484f8a24e513c1cce58f2f33ecb
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
MPEG4Source::parseSampleAuxiliaryInformationOffsets.
Bug: 23270724
Change-Id: Id7ba55c7bf6860fbfc892bbb6378aac644c82da4
|
|\ \ \ \ \ \ \ \ \ \ \ \
| |/ / / / / / / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
ba34c2ba: am f59348ed: am 0080e03e: am 3ebcce0e: am 2c0f9591: am fea5921b: am 9fff1d37: am d9d35098: am af6b3a6b: am bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '5aa85d05aaeb5509597b7876942b6f5e543a451c':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| |\ \ \ \ \ \ \ \ \ \ \
| | |/ / / / / / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
f59348ed: am 0080e03e: am 3ebcce0e: am 2c0f9591: am fea5921b: am 9fff1d37: am d9d35098: am af6b3a6b: am bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '74cda34ac909eb713cec22bebb08ecaeefd8f7dd':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | |\ \ \ \ \ \ \ \ \ \
| | | |/ / / / / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
3ebcce0e: am 2c0f9591: am fea5921b: am 9fff1d37: am d9d35098: am af6b3a6b: am bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit 'c88ddfc09338969a4c8fc32be1d3dffb9022a237':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | |\ \ \ \ \ \ \ \ \
| | | | |/ / / / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
fea5921b: am 9fff1d37: am d9d35098: am af6b3a6b: am bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit 'ba34c2ba414352ed0c1b9188f51c5445b04af2c6':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | | |\ \ \ \ \ \ \ \
| | | | | |/ / / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
9fff1d37: am d9d35098: am af6b3a6b: am bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit 'f59348edfc54baa8f6e6532c6484656cf444d199':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | | | |\ \ \ \ \ \ \
| | | | | | |/ / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
d9d35098: am af6b3a6b: am bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '0080e03e2a69dcb5ecbcb2848f358ca73163714c':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | | | | |\ \ \ \ \ \
| | | | | | | |/ / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
bce77a36: am 0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit '2c0f959112a1d9048e8dc527f2f9dc0cc3e490c9':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | | | | | |\ \ \ \ \
| | | | | | | | |/ / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
0e20b209: MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
* commit 'fea5921b975cf43c88b8f93d4f2500abde6088be':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | | | | | | |\ \ \ \
| | | | | | | | | |/ / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
* commit 'bce77a36125b25ce864b40bd5938ca89becea898':
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
|
| | | | | | | | | |/ /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
chunk_size is a uint64_t, so it can legitimately be bigger
than SIZE_MAX, which would cause the subtraction to underflow.
https://code.google.com/p/android/issues/detail?id=182251
Bug: 23034759
Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547
|
| | | | | | |\ \ \ \ \
| | | | | | | |/ / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
3329a19b: am c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '11c88f66205dd9095cbe87f3486ef7262e4d2e22':
Fix integer underflow in covr MPEG4 processing
|
| | | | | | | |\ \ \ \
| | | | | | | | |/ / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
c87faed6: Fix integer underflow in covr MPEG4 processing
* commit '2796ba1c511517a4904d10d1fdc830c86d161342':
Fix integer underflow in covr MPEG4 processing
|
| | | | | | | | |\ \ \
| | | | | | | | | |/ /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
* commit '3329a19b4d11d3c1310bbe9aa54b6a66488ab862':
Fix integer underflow in covr MPEG4 processing
|
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.
Bug: 20923261
(cherry picked from commit 4a492bf2ac47b9844d2527e1fcdf0064c3d8d52e)
Change-Id: I83490cbaf5b368073fcd8668a9241dfc90bebd90
|
| | | | | | |\ \ \ \ \
| | | | | | | |/ / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
a5b9055d: am f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit 'bb99a362dc76f9bf040f6256369fabf27ad1c2f5':
Fix integer overflow when handling MPEG4 tx3g atom
|
| | | | | | | |\ \ \ \
| | | | | | | | |/ / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
f1ce97dd: Fix integer overflow when handling MPEG4 tx3g atom
* commit '8d60fc3e3ecd4d7c2b18f25962f0ea42f3644ebd':
Fix integer overflow when handling MPEG4 tx3g atom
|
| | | | | | | | |\ \ \
| | | | | | | | | |/ /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
* commit 'a5b9055d7ce1d82ee29ed2f45aa4f8a82ccc76f2':
Fix integer overflow when handling MPEG4 tx3g atom
|
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
an integer overflow occurs. Using the result value to allocate memory
leads to an undersized buffer allocation and later a potentially
exploitable heap corruption condition. Ensure that integer overflow does
not occur.
Bug: 20923261
(cherry picked from commit e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e)
Change-Id: I3f240f75fd681becbf89cb7e7554388471c28059
|
| | | | | | |\ \ \ \ \
| | | | | | | |/ / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
* commit '430475da7f0edb86ee6a85378d1583ab07f7f93d':
Prevent integer overflow when processing covr MPEG4 atoms
|
| | | | | | | |\ \ \ \
| | | | | | | | |/ / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
Bug: 20923261
Change-Id: I6fe12a7c5768f77454bd0391b07f4c3181607d14
|
| | | | | | | | |\ \ \
| | | | | | | | | |/ /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
MPEG4 atoms
* commit '9481a101f8246263d969af66a7b39fad7346772e':
Prevent integer overflow when processing covr MPEG4 atoms
|
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.
(cherrypicked from commit 05ddc499b9d50c90f552ed1333110f28a1406e7c)
Bug: 20923261
Change-Id: If09a02738759acdff8d95149bb9cb5f18a0a123e
|
| |\ \ \ \ \ \ \ \ \ \
| | |/ / / / / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
2e637bfd: Merge "Extra sanity checks on sample size and resolution" into klp-dev
* commit '6323529b60f29ad1e18757f4aadc08f2aa0e846b':
Extra sanity checks on sample size and resolution
|
| | |\ \ \ \ \ \ \ \ \
| | | |/ / / / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
checks on sample size and resolution" into klp-dev
* commit 'c40ef74448ddb09b676cc4c79a202ee73fccad39':
Extra sanity checks on sample size and resolution
|
| | | |\ \ \ \ \ \ \ \
| | | | |/ / / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
resolution" into klp-dev
* commit '9c67741f9f7ccc1007c7ecb44b8037210c733723':
Extra sanity checks on sample size and resolution
|
| | | | |\ \ \ \ \ \ \
| | | | | |/ / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
klp-dev
* commit '2e637bfd64c59200414130671e32e3e087e9f147':
Extra sanity checks on sample size and resolution
|
| | | | | | |_|_|_|/
| | | | | |/| | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Instead of rejecting the samples later when they don't fit in the
buffer, reject the entire file early.
Bug: 22882938
Change-Id: I748153b0e9e827e3f2526468756295b4b5000de6
(cherry picked from commit beef7e58c1f1837bdaed6ac37414d8c48a133813)
|
|\ \ \ \ \ \ \ \ \ \
| |/ / / / / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
* commit '1a053a0ae002cdda31c39d4c7447b1f7e65dfec6':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| |\ \ \ \ \ \ \ \ \
| | |/ / / / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
check for size == SIZE_MAX
* commit '6f3dc2f34ed8043d30937f436979ef360dcf3774':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| | |\ \ \ \ \ \ \ \
| | | |/ / / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
* commit 'b449e46904854eccea79a40e16b2ba5132611bf3':
MPEG4Extractor.cpp: Add check for size == SIZE_MAX
|
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
If size == SIZE_MAX, the line:
uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
ends up allocating zero bytes, which is obviously incorrect.
(cherry picked from commit b2d33aee5122c91a59c2a676c0b89ad340232450)
Bug: 23031033
Change-Id: I8027247a4e24d2c8a8b4eac88c3643eccda108b9
|
| |\ \ \ \ \ \ \ \ \
| | |/ / / / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
bcd5edf9: am 13c925ca: am 6ff53b96: Merge "Prevent integer overflow when processing covr MPEG4 atoms" into klp-dev
* commit '2d80c0a13c40f29d2a4b4aca8765705cbb4b2fe8':
Prevent integer overflow when processing covr MPEG4 atoms
|
| | |\ \ \ \ \ \ \ \
| | | |/ / / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
overflow when processing covr MPEG4 atoms" into klp-dev
* commit '370290f400ff3057a71a192a70dfd69499aa8937':
Prevent integer overflow when processing covr MPEG4 atoms
|
| | | |\ \ \ \ \ \ \
| | | | |/ / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
covr MPEG4 atoms" into klp-dev
* commit '13c925cab2decaed6786b0642f2b5a9f8516e71a':
Prevent integer overflow when processing covr MPEG4 atoms
|
| | | | |\ \ \ \ \ \
| | | | | |/ / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
atoms" into klp-dev
* commit '6ff53b96235bf99cdc1023b99d44f1c4cade1c0a':
Prevent integer overflow when processing covr MPEG4 atoms
|
| | | | | |\ \ \ \ \ |
|