diff options
| author | Dongwon Kang <dwkang@google.com> | 2019-05-15 14:09:56 -0700 |
|---|---|---|
| committer | Bryan Ferris <bferris@google.com> | 2020-02-24 12:25:12 -0800 |
| commit | 6081cd380a88f04a0f2667c0f557c936645564bd (patch) | |
| tree | 98db3685f96b990a15fe75ac13cc26f4fcd7575a | |
| parent | ad90ca79ba8470d430032a188b6f76284f4aa9b8 (diff) | |
| download | frameworks_av-6081cd380a88f04a0f2667c0f557c936645564bd.tar.gz frameworks_av-6081cd380a88f04a0f2667c0f557c936645564bd.tar.bz2 frameworks_av-6081cd380a88f04a0f2667c0f557c936645564bd.zip | |
Add size checking for 'saiz' box
Test: run poc
Bug: 124525515
Change-Id: I64a20c508b6d3f3de96c889e5660f9ec6950fd2e
| -rwxr-xr-x | media/extractors/mp4/MPEG4Extractor.cpp | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp index a3572e6a33..5d693a147f 100755 --- a/media/extractors/mp4/MPEG4Extractor.cpp +++ b/media/extractors/mp4/MPEG4Extractor.cpp @@ -4993,8 +4993,11 @@ status_t MPEG4Source::parseChunk(off64_t *offset) { } status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( - off64_t offset, off64_t /* size */) { + off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationSizes"); + if (size < 9) { + return -EINVAL; + } // 14496-12 8.7.12 uint8_t version; if (mDataSource->readAt( @@ -5007,25 +5010,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( return ERROR_UNSUPPORTED; } offset++; + size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; + size -= 3; if (flags & 1) { + if (size < 13) { + return -EINVAL; + } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoType = tmp; offset += 4; + size -= 4; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoTypeParameter = tmp; offset += 4; + size -= 4; } uint8_t defsize; @@ -5034,6 +5044,7 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentDefaultSampleInfoSize = defsize; offset++; + size--; uint32_t smplcnt; if (!mDataSource->getUInt32(offset, &smplcnt)) { @@ -5041,7 +5052,12 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentSampleInfoCount = smplcnt; offset += 4; - + size -= 4; + if(smplcnt > size) { + ALOGW("b/124525515 - smplcnt(%u) > size(%ld)", (unsigned int)smplcnt, (unsigned long)size); + android_errorWriteLog(0x534e4554, "124525515"); + return -EINVAL; + } if (mCurrentDefaultSampleInfoSize != 0) { ALOGV("@@@@ using default sample info size of %d", mCurrentDefaultSampleInfoSize); return OK; |