DivestOS/Patches/LineageOS-14.1/android_frameworks_av/319987.patch

73 lines
2.5 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Santiago Seifert <aquilescanta@google.com>
Date: Thu, 2 Sep 2021 10:29:09 +0100
Subject: [PATCH] Fix heap-buffer-overflow in MPEG4Extractor
Caused by the extractor assuming that sample size will never exceed
the declared max input size (as in AMEDIAFORMAT_KEY_MAX_INPUT_SIZE).
Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 621f0e12017a2d057aeaa1937e979ce61b2ac3cf)
(cherry picked from commit d13a4efc7a5c07c95a00036a7db15b16116b41a5)
---
media/libstagefright/MPEG4Extractor.cpp | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 989ce75e15..805ff486bb 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -149,6 +149,7 @@ private:
bool mWantsNALFragments;
+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;
size_t parseNALSize(const uint8_t *data) const;
@@ -3763,6 +3764,7 @@ MPEG4Source::MPEG4Source(
mGroup(NULL),
mBuffer(NULL),
mWantsNALFragments(false),
+ mSrcBufferSize(0),
mSrcBuffer(NULL) {
#ifdef DOLBY_ENABLE
ALOGV("@DDP MPEG4Source::MPEG4Source");
@@ -3876,6 +3878,7 @@ status_t MPEG4Source::start(MetaData *params) {
mGroup = NULL;
return ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;
mStarted = true;
@@ -3892,6 +3895,7 @@ status_t MPEG4Source::stop() {
mBuffer = NULL;
}
+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;
@@ -4727,11 +4731,15 @@ status_t MPEG4Source::read(
ssize_t num_bytes_read = 0;
int32_t drm = 0;
bool usesDRM = (mFormat->findInt32(kKeyIsDRM, &drm) && drm != 0);
- if (usesDRM) {
+ if (usesDRM && size <= mBuffer->size()) {
num_bytes_read =
mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size);
- } else {
+ } else if (!usesDRM && size <= mSrcBufferSize) {
num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // The sample is larger than the expected maximum size. Fall through and let the failure
+ // be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
}
if (num_bytes_read < (ssize_t)size) {