summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDongwon Kang <dwkang@google.com>2017-06-12 12:58:58 -0700
committerAndreas Blaesius <skate4life@gmx.de>2017-09-17 22:11:19 +0200
commitd7b3d7418d569a0fc98de373fb3bdf878826be2e (patch)
treec8898f66c004625a99b93a1bd40379c7e2192f8c
parent6a8fda20b9170dc650c4eefd3c18d5eb620d48e2 (diff)
downloadframeworks_av-d7b3d7418d569a0fc98de373fb3bdf878826be2e.tar.gz
frameworks_av-d7b3d7418d569a0fc98de373fb3bdf878826be2e.tar.bz2
frameworks_av-d7b3d7418d569a0fc98de373fb3bdf878826be2e.zip
MPEG4Extractor: check size for yrrc box
Test: stagefright -s poc_file Bug: 62133227 Change-Id: Iafefac39764ce01b4dde414b9f152c9ea71810e9 (cherry picked from commit 6ace94d2952eac82fc4c86aa6d585258248bf18c) CVE-2017-0778
Diffstat
-rwxr-xr-xmedia/libstagefright/MPEG4Extractor.cpp9
1 files changed, 9 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index af7781b9d0..5e5c88a0c1 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2793,6 +2793,13 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept
}
case FOURCC('y', 'r', 'r', 'c'):
{
+ if (size < 6) {
+ delete[] buffer;
+ buffer = NULL;
+ ALOGE("b/62133227");
+ android_errorWriteLog(0x534e4554, "62133227");
+ return ERROR_MALFORMED;
+ }
char tmp[5];
uint16_t year = U16_AT(&buffer[4]);
@@ -2815,6 +2822,8 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept
// smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00
if (size < 6) {
+ delete[] buffer;
+ buffer = NULL;
return ERROR_MALFORMED;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 20:59:03 +0000