summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarish Mahendrakar <harish.mahendrakar@ittiam.com>2019-10-21 14:43:26 -0700
committerBryan Ferris <bferris@google.com>2020-02-26 10:07:56 -0800
commit6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260 (patch)
treefc4cb33ac948b0257d7558ff95adde5d0db0e7fc
parent58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d (diff)
downloadframeworks_av-6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260.tar.gz
frameworks_av-6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260.tar.bz2
frameworks_av-6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260.zip
OpusHeader: Fix integer overflow in GetOpusHeaderBuffers
unified CSD parsing now checks for valid size of CSD Bug: 142861738 Test: poc in bug Test: atest android.media.cts.DecoderTest Change-Id: Iff742d2fdf4139bab7b5f378c1742ef52c0bbc78 Merged-In: Iff742d2fdf4139bab7b5f378c1742ef52c0bbc78
Diffstat
-rw-r--r--media/libstagefright/foundation/OpusHeader.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/foundation/OpusHeader.cpp b/media/libstagefright/foundation/OpusHeader.cpp
index 513e41f4a9..f5687e0d60 100644
--- a/media/libstagefright/foundation/OpusHeader.cpp
+++ b/media/libstagefright/foundation/OpusHeader.cpp
@@ -292,6 +292,10 @@ bool GetOpusHeaderBuffers(const uint8_t *data, size_t data_size,
*opusHeadSize = data_size;
return true;
} else if (memcmp(AOPUS_CSD_MARKER_PREFIX, data, AOPUS_CSD_MARKER_PREFIX_SIZE) == 0) {
+ if (data_size < AOPUS_UNIFIED_CSD_MINSIZE || data_size > AOPUS_UNIFIED_CSD_MAXSIZE) {
+ ALOGD("Unexpected size for unified opus csd %zu", data_size);
+ return false;
+ }
size_t i = 0;
bool found = false;
while (i <= data_size - AOPUS_MARKER_SIZE - AOPUS_LENGTH_SIZE) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-01 09:52:33 +0000