diff options
author | Aalique Grahame <agrahame@codeaurora.org> | 2017-03-22 15:12:59 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2017-09-16 22:41:59 +0200 |
commit | bd408128c5d4ba0f9ed4e21693b5093e9bece6bc (patch) | |
tree | a455fb244906f1f77923ad137abe5efa6fc118c3 /msm8909 | |
parent | 3a48b350bd57248fc0646a6c69fc0afe09721ce4 (diff) | |
download | android_hardware_qcom_audio-bd408128c5d4ba0f9ed4e21693b5093e9bece6bc.tar.gz android_hardware_qcom_audio-bd408128c5d4ba0f9ed4e21693b5093e9bece6bc.tar.bz2 android_hardware_qcom_audio-bd408128c5d4ba0f9ed4e21693b5093e9bece6bc.zip |
aenc-aac: bounds checkingHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004-rc1replicant-6.0-0004replicant-6.0-0003cm-13.0
Add bounds checking for buffers
CRs-Fixed: 2013236
Change-Id: I0e1f75ea307088b92e87b99f8b614afbcd0f1c82
CVE-2017-8278
Diffstat (limited to 'msm8909')
-rw-r--r-- | msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp b/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp index 6af9269c..1fd54c2f 100644 --- a/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp +++ b/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp @@ -4152,14 +4152,25 @@ OMX_ERRORTYPE omx_aac_aenc::fill_this_buffer_proxy DEBUG_DETAIL("FTBP->Al_len[%lu]buf[%p]size[%d]numOutBuf[%d]\n",\ buffer->nAllocLen,m_tmp_out_meta_buf, nReadbytes,nNumOutputBuf); - if(*m_tmp_out_meta_buf <= 0) + if(m_tmp_out_meta_buf == NULL) + return OMX_ErrorUndefined; + + if(*m_tmp_out_meta_buf <= 0 || *m_tmp_out_meta_buf > CHAR_MAX) return OMX_ErrorBadParameter; - szadifhr = AUDAAC_MAX_ADIF_HEADER_LENGTH; + szadifhr = AUDAAC_MAX_ADIF_HEADER_LENGTH; numframes = *m_tmp_out_meta_buf; metainfo = (int)((sizeof(ENC_META_OUT) * numframes)+ - sizeof(unsigned char)); + sizeof(unsigned char)); + /* + * add bounds checking + */ + if ((metainfo > INT_MAX - szadifhr) || + (buffer->nAllocLen < (nReadbytes + szadifhr)) || + (metainfo > nReadbytes)) { + return OMX_ErrorBadParameter; + } audaac_rec_install_adif_header_variable(0,sample_idx, - (OMX_U8)m_aac_param.nChannels); + (OMX_U8)m_aac_param.nChannels); memcpy(buffer->pBuffer,m_tmp_out_meta_buf,metainfo); memcpy(buffer->pBuffer + metainfo,&audaac_header_adif[0],szadifhr); memcpy(buffer->pBuffer + metainfo + szadifhr, |