From e3b0877212dacc0b3e65fce1d4ee4352e8ed9fb3 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Wed, 8 Apr 2015 23:53:10 -0500
Subject: Fix integer underflow in ESDS processing

Several arithmetic operations within parseESDescriptor could underflow, leading
to an out-of-bounds read operation. Ensure that subtractions from 'size' do not
cause it to wrap around.

Bug: 20139950
Change-Id: Ie987c58e49323ff273fd57db410534fa83db1cb2

Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
---
 media/libstagefright/ESDS.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp
index 4a0c35c..c76bc4a 100644
--- a/media/libstagefright/ESDS.cpp
+++ b/media/libstagefright/ESDS.cpp
@@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) {
     --size;
 
     if (streamDependenceFlag) {
+        if (size < 2)
+            return ERROR_MALFORMED;
         offset += 2;
         size -= 2;
     }
@@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) {
             return ERROR_MALFORMED;
         }
         unsigned URLlength = mData[offset];
+        if (URLlength >= size)
+            return ERROR_MALFORMED;
         offset += URLlength + 1;
         size -= URLlength + 1;
     }
 
     if (OCRstreamFlag) {
+        if (size < 2)
+            return ERROR_MALFORMED;
         offset += 2;
         size -= 2;
 
-- 
cgit v1.1