diff options
| author | Dongwon Kang <dwkang@google.com> | 2019-05-15 14:55:14 -0700 |
|---|---|---|
| committer | Bryan Ferris <bferris@google.com> | 2020-02-24 12:24:51 -0800 |
| commit | 0db35529c7b1aaf7c08d59f22297781cf5195712 (patch) | |
| tree | 46b0391c78791259d90ff1678b075fbdcba5d0f8 | |
| parent | f562ce8410c5ffa9b28023006d20e03588e0c39d (diff) | |
| download | frameworks_av-0db35529c7b1aaf7c08d59f22297781cf5195712.tar.gz frameworks_av-0db35529c7b1aaf7c08d59f22297781cf5195712.tar.bz2 frameworks_av-0db35529c7b1aaf7c08d59f22297781cf5195712.zip | |
Add more size checking for 'stss' box
Test: run poc
Bug: 124771364
Change-Id: Id34dea17f78715eb7c44a3959c654b0f09ead3fb
| -rw-r--r-- | media/extractors/mp4/SampleTable.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/extractors/mp4/SampleTable.cpp b/media/extractors/mp4/SampleTable.cpp index bf29bf1eac..6558033eee 100644 --- a/media/extractors/mp4/SampleTable.cpp +++ b/media/extractors/mp4/SampleTable.cpp @@ -540,6 +540,12 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); + if (allocSize > data_size - 8) { + ALOGW("b/124771364 - allocSize(%lu) > size(%lu)", + (unsigned long)allocSize, (unsigned long)(data_size - 8)); + android_errorWriteLog(0x534e4554, "124771364"); + return ERROR_MALFORMED; + } if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; |