From 85473b3d8e9a5ed76a431924b21b0b10e19bc7a0 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 12 Jan 2017 15:49:04 -0800 Subject: Don't initialize sync sample parameters until the end to avoid leaving them in a partially initialized state. Bug: 33137046 Test: ran CTS tests CVE-2017-0483 Change-Id: I1f5c070233c5917d85da9e930e01a3fc51a0a0ec (cherry picked from commit a9660fe122ca382e1777e0c5d3c42ca67ffb0377) (cherry picked from commit bc62c086e9ba7530723dc8874b83159f4d77d976) --- media/libstagefright/SampleTable.cpp | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 8a38c24..2d7e613 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -512,8 +512,6 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_MALFORMED; } - mSyncSampleOffset = data_offset; - uint8_t header[8]; if (mDataSource->readAt( data_offset, header, sizeof(header)) < (ssize_t)sizeof(header)) { @@ -525,13 +523,13 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_MALFORMED; } - mNumSyncSamples = U32_AT(&header[4]); + uint32_t numSyncSamples = U32_AT(&header[4]); - if (mNumSyncSamples < 2) { + if (numSyncSamples < 2) { ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); + uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; @@ -549,22 +547,27 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_OUT_OF_RANGE; } - mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples]; + mSyncSamples = new (std::nothrow) uint32_t[numSyncSamples]; if (!mSyncSamples) { ALOGE("Cannot allocate sync sample table with %llu entries.", - (unsigned long long)mNumSyncSamples); + (unsigned long long)numSyncSamples); return ERROR_OUT_OF_RANGE; } - if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, + if (mDataSource->readAt(data_offset + 8, mSyncSamples, (size_t)allocSize) != (ssize_t)allocSize) { + delete mSyncSamples; + mSyncSamples = NULL; return ERROR_IO; } - for (size_t i = 0; i < mNumSyncSamples; ++i) { + for (size_t i = 0; i < numSyncSamples; ++i) { mSyncSamples[i] = ntohl(mSyncSamples[i]) - 1; } + mSyncSampleOffset = data_offset; + mNumSyncSamples = numSyncSamples; + return OK; } -- cgit v1.1 From e9598179f3e286a58e8222a3654701b330cd5268 Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Tue, 24 Jan 2017 18:08:59 -0800 Subject: avc_utils: skip empty NALs from malformed bistreams Avoid a CHECK and make it the decoder's repsonsibility to handle a malformed bistream gracefully. Bug: 34509901 Bug: 33137046 Test: StagefrightTest#testStagefright_bug_27855419_CVE_2016_2463 CVE-2017-0483 Change-Id: I2d94f8da63d65a86a9c711c45546e4c695e0f3b4 (cherry picked from commit 91fe76a157847825601b8f7a627efd1c9cbadcae) (cherry picked from commit 5cabe32a59f9be1e913b6a07a23d4cfa55e3fb2f) --- media/libstagefright/avc_utils.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/avc_utils.cpp b/media/libstagefright/avc_utils.cpp index 98b5c0e..bf014ba 100644 --- a/media/libstagefright/avc_utils.cpp +++ b/media/libstagefright/avc_utils.cpp @@ -454,7 +454,10 @@ bool IsAVCReferenceFrame(const sp &accessUnit) { size_t nalSize; bool bIsReferenceFrame = true; while (getNextNALUnit(&data, &size, &nalStart, &nalSize, true) == OK) { - CHECK_GT(nalSize, 0u); + if (nalSize == 0u) { + ALOGW("skipping empty nal unit from potentially malformed bitstream"); + continue; + } unsigned nalType = nalStart[0] & 0x1f; -- cgit v1.1 From dc7805b0c79d056385a076422894425984af2aa0 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Mon, 13 Feb 2017 14:19:40 -0800 Subject: resolve merge conflicts of 79cf158c51 to mnc-dev AOSP-Change-Id: Ied32e83215e386c801c02991a0b2fa4baa25b643 CVE-2017-0558 (cherry picked from commit 50358a80b1724f6cf1bcdf003e1abf9cc141b122) Change-Id: Ic2e40c7d6aec8427444a1fd145726e490e994d08 --- media/libstagefright/wifi-display/rtp/RTPSender.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'media/libstagefright') diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp index c66a898..83af393 100644 --- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp +++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp @@ -762,10 +762,16 @@ status_t RTPSender::parseTSFB(const uint8_t *data, size_t size) { return OK; } -status_t RTPSender::parseAPP(const uint8_t *data, size_t size __unused) { - if (!memcmp("late", &data[8], 4)) { - int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]); - int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]); +status_t RTPSender::parseAPP(const uint8_t *data, size_t size) { + static const size_t late_offset = 8; + static const char late_string[] = "late"; + static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1; + static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t); + + if ((size >= (maxLatencyUs_offset + sizeof(int64_t))) + && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) { + int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]); + int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]); sp notify = mNotify->dup(); notify->setInt32("what", kWhatInformSender); -- cgit v1.1