diff options
author | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2019-10-21 14:43:26 -0700 |
---|---|---|
committer | Bryan Ferris <bferris@google.com> | 2020-02-26 10:07:56 -0800 |
commit | 6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260 (patch) | |
tree | fc4cb33ac948b0257d7558ff95adde5d0db0e7fc | |
parent | 58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d (diff) | |
download | frameworks_av-6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260.tar.gz frameworks_av-6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260.tar.bz2 frameworks_av-6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260.zip |
OpusHeader: Fix integer overflow in GetOpusHeaderBuffers
unified CSD parsing now checks for valid size of CSD
Bug: 142861738
Test: poc in bug
Test: atest android.media.cts.DecoderTest
Change-Id: Iff742d2fdf4139bab7b5f378c1742ef52c0bbc78
Merged-In: Iff742d2fdf4139bab7b5f378c1742ef52c0bbc78
-rw-r--r-- | media/libstagefright/foundation/OpusHeader.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/foundation/OpusHeader.cpp b/media/libstagefright/foundation/OpusHeader.cpp index 513e41f4a9..f5687e0d60 100644 --- a/media/libstagefright/foundation/OpusHeader.cpp +++ b/media/libstagefright/foundation/OpusHeader.cpp @@ -292,6 +292,10 @@ bool GetOpusHeaderBuffers(const uint8_t *data, size_t data_size, *opusHeadSize = data_size; return true; } else if (memcmp(AOPUS_CSD_MARKER_PREFIX, data, AOPUS_CSD_MARKER_PREFIX_SIZE) == 0) { + if (data_size < AOPUS_UNIFIED_CSD_MINSIZE || data_size > AOPUS_UNIFIED_CSD_MAXSIZE) { + ALOGD("Unexpected size for unified opus csd %zu", data_size); + return false; + } size_t i = 0; bool found = false; while (i <= data_size - AOPUS_MARKER_SIZE - AOPUS_LENGTH_SIZE) { |