From bd408128c5d4ba0f9ed4e21693b5093e9bece6bc Mon Sep 17 00:00:00 2001 From: Aalique Grahame Date: Wed, 22 Mar 2017 15:12:59 -0700 Subject: aenc-aac: bounds checking Add bounds checking for buffers CRs-Fixed: 2013236 Change-Id: I0e1f75ea307088b92e87b99f8b614afbcd0f1c82 CVE-2017-8278 --- msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp b/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp index 6af9269c..1fd54c2f 100644 --- a/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp +++ b/msm8909/mm-audio/aenc-aac/qdsp6/src/omx_aac_aenc.cpp @@ -4152,14 +4152,25 @@ OMX_ERRORTYPE omx_aac_aenc::fill_this_buffer_proxy DEBUG_DETAIL("FTBP->Al_len[%lu]buf[%p]size[%d]numOutBuf[%d]\n",\ buffer->nAllocLen,m_tmp_out_meta_buf, nReadbytes,nNumOutputBuf); - if(*m_tmp_out_meta_buf <= 0) + if(m_tmp_out_meta_buf == NULL) + return OMX_ErrorUndefined; + + if(*m_tmp_out_meta_buf <= 0 || *m_tmp_out_meta_buf > CHAR_MAX) return OMX_ErrorBadParameter; - szadifhr = AUDAAC_MAX_ADIF_HEADER_LENGTH; + szadifhr = AUDAAC_MAX_ADIF_HEADER_LENGTH; numframes = *m_tmp_out_meta_buf; metainfo = (int)((sizeof(ENC_META_OUT) * numframes)+ - sizeof(unsigned char)); + sizeof(unsigned char)); + /* + * add bounds checking + */ + if ((metainfo > INT_MAX - szadifhr) || + (buffer->nAllocLen < (nReadbytes + szadifhr)) || + (metainfo > nReadbytes)) { + return OMX_ErrorBadParameter; + } audaac_rec_install_adif_header_variable(0,sample_idx, - (OMX_U8)m_aac_param.nChannels); + (OMX_U8)m_aac_param.nChannels); memcpy(buffer->pBuffer,m_tmp_out_meta_buf,metainfo); memcpy(buffer->pBuffer + metainfo,&audaac_header_adif[0],szadifhr); memcpy(buffer->pBuffer + metainfo + szadifhr, -- cgit v1.2.3