From 92742eb7af414d5818fd09fafddb6d6f79c0d9a9 Mon Sep 17 00:00:00 2001
From: Robert Shih <robertshih@google.com>
Date: Thu, 20 Aug 2015 15:29:05 -0700
Subject: OMXCodec: fix potential OOB read in parseHEVCCodecSpecificData

Bug: 23279597
Change-Id: Ibaa3d52e586e65230ec6df3680d9456ce873390c
---
 media/libstagefright/OMXCodec.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'media/libstagefright/OMXCodec.cpp')

diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp
index abe19a0..7f97039 100644
--- a/media/libstagefright/OMXCodec.cpp
+++ b/media/libstagefright/OMXCodec.cpp
@@ -399,7 +399,7 @@ status_t OMXCodec::parseHEVCCodecSpecificData(
     const uint8_t *ptr = (const uint8_t *)data;
 
     // verify minimum size and configurationVersion == 1.
-    if (size < 7 || ptr[0] != 1) {
+    if (size < 23 || ptr[0] != 1) {
         return ERROR_MALFORMED;
     }
 
@@ -414,6 +414,9 @@ status_t OMXCodec::parseHEVCCodecSpecificData(
     size -= 1;
     size_t j = 0, i = 0;
     for (i = 0; i < numofArrays; i++) {
+        if (size < 3) {
+            return ERROR_MALFORMED;
+        }
         ptr += 1;
         size -= 1;
 
-- 
cgit v1.1