FPII-2925 :Information disclosure vulnerability in Mediaserver CVE-2017-0558 A-34056274
stagefright: parseApp check data boundary conditions
Test: compile, no poc for boundary violation.
Bug: 34056274
Change-Id: I23f5ccba8f211e01d9a3a741c8ea537b55aab4e2
(cherry picked from commit 9b6b81d366e3f37bfe1ad3fc3d5bfd96f901fb96)
diff --git a/media/libstagefright/wifi-display/rtp/RTPSender.cpp b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
index e88a3bd..45321c6 100644
--- a/media/libstagefright/wifi-display/rtp/RTPSender.cpp
+++ b/media/libstagefright/wifi-display/rtp/RTPSender.cpp
@@ -765,9 +765,15 @@
}
status_t RTPSender::parseAPP(const uint8_t *data, size_t size) {
- if (!memcmp("late", &data[8], 4)) {
- int64_t avgLatencyUs = (int64_t)U64_AT(&data[12]);
- int64_t maxLatencyUs = (int64_t)U64_AT(&data[20]);
+ static const size_t late_offset = 8;
+ static const char late_string[] = "late";
+ static const size_t avgLatencyUs_offset = late_offset + sizeof(late_string) - 1;
+ static const size_t maxLatencyUs_offset = avgLatencyUs_offset + sizeof(int64_t);
+
+ if ((size >= (maxLatencyUs_offset + sizeof(int64_t)))
+ && !memcmp(late_string, &data[late_offset], sizeof(late_string) - 1)) {
+ int64_t avgLatencyUs = (int64_t)U64_AT(&data[avgLatencyUs_offset]);
+ int64_t maxLatencyUs = (int64_t)U64_AT(&data[maxLatencyUs_offset]);
sp<AMessage> notify = mNotify->dup();
notify->setInt32("what", kWhatInformSender);