diff options
author | Dongwon Kang <dwkang@google.com> | 2017-06-12 12:58:58 -0700 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2017-09-17 22:11:19 +0200 |
commit | d7b3d7418d569a0fc98de373fb3bdf878826be2e (patch) | |
tree | c8898f66c004625a99b93a1bd40379c7e2192f8c | |
parent | 6a8fda20b9170dc650c4eefd3c18d5eb620d48e2 (diff) | |
download | frameworks_av-d7b3d7418d569a0fc98de373fb3bdf878826be2e.tar.gz frameworks_av-d7b3d7418d569a0fc98de373fb3bdf878826be2e.tar.bz2 frameworks_av-d7b3d7418d569a0fc98de373fb3bdf878826be2e.zip |
MPEG4Extractor: check size for yrrc box
Test: stagefright -s poc_file
Bug: 62133227
Change-Id: Iafefac39764ce01b4dde414b9f152c9ea71810e9
(cherry picked from commit 6ace94d2952eac82fc4c86aa6d585258248bf18c)
CVE-2017-0778
-rwxr-xr-x | media/libstagefright/MPEG4Extractor.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index af7781b9d0..5e5c88a0c1 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2793,6 +2793,13 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept } case FOURCC('y', 'r', 'r', 'c'): { + if (size < 6) { + delete[] buffer; + buffer = NULL; + ALOGE("b/62133227"); + android_errorWriteLog(0x534e4554, "62133227"); + return ERROR_MALFORMED; + } char tmp[5]; uint16_t year = U16_AT(&buffer[4]); @@ -2815,6 +2822,8 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00 if (size < 6) { + delete[] buffer; + buffer = NULL; return ERROR_MALFORMED; } |