Add size checking for 'saio' box

Test: run poc Bug: 124526959 Change-Id: I9ec41f8d27c613609de6cfff2474793f88c5b956
author: Dongwon Kang <dwkang@google.com> 2019-05-15 14:26:37 -0700
committer: Bryan Ferris <bferris@google.com> 2020-02-24 12:24:42 -0800
commit: f562ce8410c5ffa9b28023006d20e03588e0c39d (patch)
tree: c507bd77e535fd2a3c6a8362f7a108d92c613131
parent: 58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d (diff)
download: frameworks_av-f562ce8410c5ffa9b28023006d20e03588e0c39d.tar.gz
frameworks_av-f562ce8410c5ffa9b28023006d20e03588e0c39d.tar.bz2
frameworks_av-f562ce8410c5ffa9b28023006d20e03588e0c39d.zip
1 files changed, 19 insertions, 1 deletions
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 9d5890c42c..a3572e6a33 100755
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -5061,26 +5061,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes(
 }
 
 status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(
-        off64_t offset, off64_t /* size */) {
+        off64_t offset, off64_t size) {
     ALOGV("parseSampleAuxiliaryInformationOffsets");
+    if (size < 8) {
+        return -EINVAL;
+    }
     // 14496-12 8.7.13
     uint8_t version;
     if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) {
         return ERROR_IO;
     }
     offset++;
+    size--;
 
     uint32_t flags;
     if (!mDataSource->getUInt24(offset, &flags)) {
         return ERROR_IO;
     }
     offset += 3;
+    size -= 3;
 
     uint32_t entrycount;
     if (!mDataSource->getUInt32(offset, &entrycount)) {
         return ERROR_IO;
     }
     offset += 4;
+    size -= 4;
     if (entrycount == 0) {
         return OK;
     }
@@ -5106,19 +5112,31 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(
 
     for (size_t i = 0; i < entrycount; i++) {
         if (version == 0) {
+            if (size < 4) {
+                ALOGW("b/124526959");
+                android_errorWriteLog(0x534e4554, "124526959");
+                return -EINVAL;
+            }
             uint32_t tmp;
             if (!mDataSource->getUInt32(offset, &tmp)) {
                 return ERROR_IO;
             }
             mCurrentSampleInfoOffsets[i] = tmp;
             offset += 4;
+            size -= 4;
         } else {
+            if (size < 8) {
+                ALOGW("b/124526959");
+                android_errorWriteLog(0x534e4554, "124526959");
+                return -EINVAL;
+            }
             uint64_t tmp;
             if (!mDataSource->getUInt64(offset, &tmp)) {
                 return ERROR_IO;
             }
             mCurrentSampleInfoOffsets[i] = tmp;
             offset += 8;
+            size -= 8;
         }
     }
author	Dongwon Kang <dwkang@google.com>	2019-05-15 14:26:37 -0700
committer	Bryan Ferris <bferris@google.com>	2020-02-24 12:24:42 -0800
commit	f562ce8410c5ffa9b28023006d20e03588e0c39d (patch)
tree	c507bd77e535fd2a3c6a8362f7a108d92c613131
parent	58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d (diff)
download	frameworks_av-f562ce8410c5ffa9b28023006d20e03588e0c39d.tar.gz frameworks_av-f562ce8410c5ffa9b28023006d20e03588e0c39d.tar.bz2 frameworks_av-f562ce8410c5ffa9b28023006d20e03588e0c39d.zip