Merge branch 'security-aosp-pi-release' into int/p/fp2
* security-aosp-pi-release:
SimpleDecodingSource:Prevent OOB write in heap mem
Fix heap-buffer-overflow in MPEG4Extractor
Change-Id: Id610a2db4fb24b4eeecd2869307f81117c0699ce
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 7b3b81d..0873c5f 100644
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -135,6 +135,7 @@
bool mWantsNALFragments;
+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;
bool mIsHeif;
@@ -3862,6 +3863,7 @@
mGroup(NULL),
mBuffer(NULL),
mWantsNALFragments(false),
+ mSrcBufferSize(0),
mSrcBuffer(NULL),
mIsHeif(itemTable != NULL),
mItemTable(itemTable) {
@@ -3979,6 +3981,7 @@
mGroup = NULL;
return ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;
mStarted = true;
@@ -3995,6 +3998,7 @@
mBuffer = NULL;
}
+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;
@@ -4913,11 +4917,15 @@
ssize_t num_bytes_read = 0;
int32_t drm = 0;
bool usesDRM = (mFormat.findInt32(kKeyIsDRM, &drm) && drm != 0);
- if (usesDRM) {
+ if (usesDRM && size <= mBuffer->size()) {
num_bytes_read =
mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size);
- } else {
+ } else if (!usesDRM && size <= mSrcBufferSize) {
num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // The sample is larger than the expected maximum size. Fall through and let the failure
+ // be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
}
if (num_bytes_read < (ssize_t)size) {
diff --git a/media/libstagefright/SimpleDecodingSource.cpp b/media/libstagefright/SimpleDecodingSource.cpp
index 404c537..539e461 100644
--- a/media/libstagefright/SimpleDecodingSource.cpp
+++ b/media/libstagefright/SimpleDecodingSource.cpp
@@ -317,18 +317,23 @@
}
size_t cpLen = min(in_buf->range_length(), in_buffer->capacity());
memcpy(in_buffer->base(), (uint8_t *)in_buf->data() + in_buf->range_offset(),
- cpLen );
+ cpLen);
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ cpLen += sizeof(numPageSamples);
+ } else {
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
+ }
}
res = mCodec->queueInputBuffer(
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+ in_ix, 0 /* offset */, cpLen,
timestampUs, 0 /* flags */);
if (res != OK) {
ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);