From 4f236c532039a61f0cf681d2e3c6e022911bbb5c Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Thu, 28 Apr 2016 13:32:41 -0700
Subject: Check section size when verifying CRC

Bug: 28333006
Change-Id: Ief7a2da848face78f0edde21e2f2009316076679
---
 media/libstagefright/mpeg2ts/ATSParser.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/mpeg2ts/ATSParser.cpp b/media/libstagefright/mpeg2ts/ATSParser.cpp
index e3c3e80..2f2b115 100644
--- a/media/libstagefright/mpeg2ts/ATSParser.cpp
+++ b/media/libstagefright/mpeg2ts/ATSParser.cpp
@@ -1713,6 +1713,13 @@ bool ATSParser::PSISection::isCRCOkay() const {
     unsigned sectionLength = U16_AT(data + 1) & 0xfff;
     ALOGV("sectionLength %u, skip %u", sectionLength, mSkipBytes);
 
+
+    if(sectionLength < mSkipBytes) {
+        ALOGE("b/28333006");
+        android_errorWriteLog(0x534e4554, "28333006");
+        return false;
+    }
+
     // Skip the preceding field present when payload start indicator is on.
     sectionLength -= mSkipBytes;
 
-- 
cgit v1.1


From 60547808ca4e9cfac50028c00c58a6ceb2319301 Mon Sep 17 00:00:00 2001
From: Pawin Vongmasa <pawin@google.com>
Date: Wed, 11 May 2016 16:08:21 -0700
Subject: h264bsdActivateParamSets: Prevent multiplication overflow.

Report MEMORY_ALLOCATION_ERROR if pStorage->picSizeInMbs would
exceed UINT32_MAX bytes.

Bug: 28532266
Change-Id: Ia6f11efb18818afcdb5fa2a38a14f2a2d8c8447a
---
 .../codecs/on2/h264dec/source/h264bsd_storage.c    | 24 +++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c
index 3234754..ff7a42a 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_storage.c
@@ -58,6 +58,10 @@
     3. Module defines
 ------------------------------------------------------------------------------*/
 
+#ifndef UINT32_MAX
+#define UINT32_MAX       (4294967295U)
+#endif
+
 /*------------------------------------------------------------------------------
     4. Local function prototypes
 ------------------------------------------------------------------------------*/
@@ -326,9 +330,23 @@ u32 h264bsdActivateParamSets(storage_t *pStorage, u32 ppsId, u32 isIdr)
         pStorage->activePps = pStorage->pps[ppsId];
         pStorage->activeSpsId = pStorage->activePps->seqParameterSetId;
         pStorage->activeSps = pStorage->sps[pStorage->activeSpsId];
-        pStorage->picSizeInMbs =
-            pStorage->activeSps->picWidthInMbs *
-            pStorage->activeSps->picHeightInMbs;
+
+        /* report error before multiplication to prevent integer overflow */
+        if (pStorage->activeSps->picWidthInMbs == 0)
+        {
+            pStorage->picSizeInMbs = 0;
+        }
+        else if (pStorage->activeSps->picHeightInMbs >
+                 UINT32_MAX / pStorage->activeSps->picWidthInMbs)
+        {
+            return(MEMORY_ALLOCATION_ERROR);
+        }
+        else
+        {
+            pStorage->picSizeInMbs =
+                pStorage->activeSps->picWidthInMbs *
+                pStorage->activeSps->picHeightInMbs;
+        }
 
         pStorage->currImage->width = pStorage->activeSps->picWidthInMbs;
         pStorage->currImage->height = pStorage->activeSps->picHeightInMbs;
-- 
cgit v1.1


From e248db02fbab2ee9162940bc19f087fd7d96cb9d Mon Sep 17 00:00:00 2001
From: Jeff Tinker <jtinker@google.com>
Date: Fri, 13 May 2016 11:48:11 -0700
Subject: Fix security vulnerability in libstagefright

bug: 28175045
Change-Id: Icee6c7eb5b761da4aa3e412fb71825508d74d38f
---
 media/libstagefright/DRMExtractor.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 9cb6e86..e2bc89c 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp
@@ -200,7 +200,17 @@ status_t DRMSource::read(MediaBuffer **buffer, const ReadOptions *options) {
                 continue;
             }
 
-            CHECK(dstOffset + 4 <= (*buffer)->size());
+            if (dstOffset > SIZE_MAX - 4 ||
+                dstOffset + 4 > SIZE_MAX - nalLength ||
+                dstOffset + 4 + nalLength > (*buffer)->size()) {
+                (*buffer)->release();
+                (*buffer) = NULL;
+                if (decryptedDrmBuffer.data) {
+                    delete [] decryptedDrmBuffer.data;
+                    decryptedDrmBuffer.data = NULL;
+                }
+                return ERROR_MALFORMED;
+            }
 
             dstData[dstOffset++] = 0;
             dstData[dstOffset++] = 0;
-- 
cgit v1.1


From e7142a0703bc93f75e213e96ebc19000022afed9 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Wed, 11 May 2016 11:11:20 -0700
Subject: Check malloc result to avoid NPD

Bug: 28471206
Change-Id: Id5d055d76893d6f53a2e524ff5f282d1ddca3345
---
 media/libstagefright/MPEG4Extractor.cpp | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index f8789da..f6206d2 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -535,6 +535,10 @@ status_t MPEG4Extractor::readMetaData() {
     }
     if (psshsize > 0 && psshsize <= UINT32_MAX) {
         char *buf = (char*)malloc(psshsize);
+        if (!buf) {
+            ALOGE("b/28471206");
+            return NO_MEMORY;
+        }
         char *ptr = buf;
         for (size_t i = 0; i < mPssh.size(); i++) {
             memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
@@ -1702,6 +1706,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
 
             sp<ABuffer> buffer = new ABuffer(chunk_data_size);
 
+            if (buffer->data() == NULL) {
+                ALOGE("b/28471206");
+                return NO_MEMORY;
+            }
+
             if (mDataSource->readAt(
                         data_offset, buffer->data(), chunk_data_size) < chunk_data_size) {
                 return ERROR_IO;
@@ -1719,6 +1728,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         {
             sp<ABuffer> buffer = new ABuffer(chunk_data_size);
 
+            if (buffer->data() == NULL) {
+                ALOGE("b/28471206");
+                return NO_MEMORY;
+            }
+
             if (mDataSource->readAt(
                         data_offset, buffer->data(), chunk_data_size) < chunk_data_size) {
                 return ERROR_IO;
@@ -2051,6 +2065,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                     return ERROR_MALFORMED;
                 }
                 sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
+                if (buffer->data() == NULL) {
+                    ALOGE("b/28471206");
+                    return NO_MEMORY;
+                }
                 if (mDataSource->readAt(
                     data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
                     return ERROR_IO;
-- 
cgit v1.1


From f81038006b4c59a5a148dcad887371206033c28f Mon Sep 17 00:00:00 2001
From: Wei Jia <wjia@google.com>
Date: Fri, 28 Aug 2015 10:35:35 -0700
Subject: MPEG4Extractor: ensure kKeyTrackID exists before creating an
 MPEG4Source as track.

GenericSource: return error when no track exists.

SampleIterator: make sure mSamplesPerChunk is not zero before using it as divisor.

Bug: 21657957
Bug: 23705695
Bug: 22802344
Bug: 28799341
Change-Id: I7664992ade90b935d3f255dcd43ecc2898f30b04
(cherry picked from commit 0386c91b8a910a134e5898ffa924c1b6c7560b13)
---
 media/libstagefright/MPEG4Extractor.cpp | 8 ++++++++
 media/libstagefright/SampleIterator.cpp | 5 +++++
 2 files changed, 13 insertions(+)

(limited to 'media/libstagefright')

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index f6206d2..4c10cc9 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -933,6 +933,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
             }
 
             if (isTrack) {
+                int32_t trackId;
+                // There must be exact one track header per track.
+                if (!mLastTrack->meta->findInt32(kKeyTrackID, &trackId)) {
+                    mLastTrack->skipTrack = true;
+                }
                 if (mLastTrack->skipTrack) {
                     Track *cur = mFirstTrack;
 
@@ -2869,6 +2874,9 @@ sp<MediaSource> MPEG4Extractor::getTrack(size_t index) {
                 break;
             }
         }
+    } else {
+        ALOGE("b/21657957");
+        return NULL;
     }
 
     ALOGV("getTrack called, pssh: %zu", mPssh.size());
diff --git a/media/libstagefright/SampleIterator.cpp b/media/libstagefright/SampleIterator.cpp
index 2748349..c5f359e 100644
--- a/media/libstagefright/SampleIterator.cpp
+++ b/media/libstagefright/SampleIterator.cpp
@@ -84,6 +84,11 @@ status_t SampleIterator::seekTo(uint32_t sampleIndex) {
 
     CHECK(sampleIndex < mStopChunkSampleIndex);
 
+    if (mSamplesPerChunk == 0) {
+        ALOGE("b/22802344");
+        return ERROR_MALFORMED;
+    }
+
     uint32_t chunk =
         (sampleIndex - mFirstChunkSampleIndex) / mSamplesPerChunk
         + mFirstChunk;
-- 
cgit v1.1