mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-11 17:04:20 -05:00
54 lines
2.6 KiB
Diff
54 lines
2.6 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Gopalakrishnan Nallasamy <gokrishnan@google.com>
|
||
|
Date: Wed, 29 Sep 2021 08:24:26 -0700
|
||
|
Subject: [PATCH] SimpleDecodingSource:Prevent OOB write in heap mem
|
||
|
|
||
|
doRead() doesn't handle situations when received byte do not fit into
|
||
|
input buffer in case of vorbis audio compression. It results in OOB
|
||
|
write in heap memory right after the allocated input buffer. Added
|
||
|
code to copy kKeyValidSamples only if there was enough space.
|
||
|
Otherwise, print a warning log.
|
||
|
|
||
|
Bug: 194105348
|
||
|
|
||
|
Test: post-submit media cts tests
|
||
|
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
|
||
|
(cherry picked from commit a625b40e1c210f1e8ed57962eee9f70cef06fb1b)
|
||
|
(cherry picked from commit f3590a1b18d8cde4ac1cbc135c1022816096438d)
|
||
|
Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
|
||
|
---
|
||
|
media/libstagefright/SimpleDecodingSource.cpp | 11 ++++++++---
|
||
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/media/libstagefright/SimpleDecodingSource.cpp b/media/libstagefright/SimpleDecodingSource.cpp
|
||
|
index 2503a3205d..66e17c9c31 100644
|
||
|
--- a/media/libstagefright/SimpleDecodingSource.cpp
|
||
|
+++ b/media/libstagefright/SimpleDecodingSource.cpp
|
||
|
@@ -292,18 +292,23 @@ status_t SimpleDecodingSource::doRead(
|
||
|
}
|
||
|
size_t cpLen = min(in_buf->range_length(), in_buffer->capacity());
|
||
|
memcpy(in_buffer->base(), (uint8_t *)in_buf->data() + in_buf->range_offset(),
|
||
|
- cpLen );
|
||
|
+ cpLen);
|
||
|
|
||
|
if (mIsVorbis) {
|
||
|
int32_t numPageSamples;
|
||
|
if (!in_buf->meta_data()->findInt32(kKeyValidSamples, &numPageSamples)) {
|
||
|
numPageSamples = -1;
|
||
|
}
|
||
|
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
|
||
|
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
|
||
|
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
|
||
|
+ cpLen += sizeof(numPageSamples);
|
||
|
+ } else {
|
||
|
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
res = mCodec->queueInputBuffer(
|
||
|
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
|
||
|
+ in_ix, 0 /* offset */, cpLen,
|
||
|
timestampUs, 0 /* flags */);
|
||
|
if (res != OK) {
|
||
|
ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);
|