DivestOS/Patches/LineageOS-14.1/android_frameworks_av/319987.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Santiago Seifert <aquilescanta@google.com>
Date: Thu, 2 Sep 2021 10:29:09 +0100
Subject: [PATCH] Fix heap-buffer-overflow in MPEG4Extractor

Caused by the extractor assuming that sample size will never exceed
the declared max input size (as in AMEDIAFORMAT_KEY_MAX_INPUT_SIZE).

Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 621f0e12017a2d057aeaa1937e979ce61b2ac3cf)
(cherry picked from commit d13a4efc7a5c07c95a00036a7db15b16116b41a5)
---
 media/libstagefright/MPEG4Extractor.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 989ce75e15..805ff486bb 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -149,6 +149,7 @@ private:
 
     bool mWantsNALFragments;
 
+    size_t mSrcBufferSize;
     uint8_t *mSrcBuffer;
 
     size_t parseNALSize(const uint8_t *data) const;
@@ -3763,6 +3764,7 @@ MPEG4Source::MPEG4Source(
       mGroup(NULL),
       mBuffer(NULL),
       mWantsNALFragments(false),
+      mSrcBufferSize(0),
       mSrcBuffer(NULL) {
 #ifdef DOLBY_ENABLE
       ALOGV("@DDP MPEG4Source::MPEG4Source");
@@ -3876,6 +3878,7 @@ status_t MPEG4Source::start(MetaData *params) {
         mGroup = NULL;
         return ERROR_MALFORMED;
     }
+    mSrcBufferSize = max_size;
 
     mStarted = true;
 
@@ -3892,6 +3895,7 @@ status_t MPEG4Source::stop() {
         mBuffer = NULL;
     }
 
+    mSrcBufferSize = 0;
     delete[] mSrcBuffer;
     mSrcBuffer = NULL;
 
@@ -4727,11 +4731,15 @@ status_t MPEG4Source::read(
         ssize_t num_bytes_read = 0;
         int32_t drm = 0;
         bool usesDRM = (mFormat->findInt32(kKeyIsDRM, &drm) && drm != 0);
-        if (usesDRM) {
+        if (usesDRM && size <= mBuffer->size()) {
             num_bytes_read =
                 mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size);
-        } else {
+        } else if (!usesDRM && size <= mSrcBufferSize) {
             num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+        } else {
+            // The sample is larger than the expected maximum size. Fall through and let the failure
+            // be handled by the following if.
+            android_errorWriteLog(0x534e4554, "188893559");
         }
 
         if (num_bytes_read < (ssize_t)size) {
Pull in old cherrypicks + 5 missing patches from syphyr This adds 3 expat patches for n-asb-2022-09 from https://github.com/syphyr/android_external_expat/commits/cm-14.1 and also applies 2 of them to 15.1 Signed-off-by: Tad <tad@spotco.us> 2022-09-11 12:25:11 -04:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Santiago Seifert <aquilescanta@google.com>`
			`Date: Thu, 2 Sep 2021 10:29:09 +0100`
			`Subject: [PATCH] Fix heap-buffer-overflow in MPEG4Extractor`

			`Caused by the extractor assuming that sample size will never exceed`
			`the declared max input size (as in AMEDIAFORMAT_KEY_MAX_INPUT_SIZE).`

			`Bug: 188893559`
			`Test: Ran the fuzzer using the bug's testcase.`
			`Change-Id: I31f2b9a4f1b561c4466c76ea2af8dd532622102a`
			`Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a`
			`(cherry picked from commit 621f0e12017a2d057aeaa1937e979ce61b2ac3cf)`
			`(cherry picked from commit d13a4efc7a5c07c95a00036a7db15b16116b41a5)`
			`---`
			`media/libstagefright/MPEG4Extractor.cpp \| 12 ++++++++++--`
			`1 file changed, 10 insertions(+), 2 deletions(-)`

			`diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp`
			`index 989ce75e15..805ff486bb 100644`
			`--- a/media/libstagefright/MPEG4Extractor.cpp`
			`+++ b/media/libstagefright/MPEG4Extractor.cpp`
			`@@ -149,6 +149,7 @@ private:`

			`bool mWantsNALFragments;`

			`+ size_t mSrcBufferSize;`
			`uint8_t *mSrcBuffer;`

			`size_t parseNALSize(const uint8_t *data) const;`
			`@@ -3763,6 +3764,7 @@ MPEG4Source::MPEG4Source(`
			`mGroup(NULL),`
			`mBuffer(NULL),`
			`mWantsNALFragments(false),`
			`+ mSrcBufferSize(0),`
			`mSrcBuffer(NULL) {`
			`#ifdef DOLBY_ENABLE`
			`ALOGV("@DDP MPEG4Source::MPEG4Source");`
			`@@ -3876,6 +3878,7 @@ status_t MPEG4Source::start(MetaData *params) {`
			`mGroup = NULL;`
			`return ERROR_MALFORMED;`
			`}`
			`+ mSrcBufferSize = max_size;`

			`mStarted = true;`

			`@@ -3892,6 +3895,7 @@ status_t MPEG4Source::stop() {`
			`mBuffer = NULL;`
			`}`

			`+ mSrcBufferSize = 0;`
			`delete[] mSrcBuffer;`
			`mSrcBuffer = NULL;`

			`@@ -4727,11 +4731,15 @@ status_t MPEG4Source::read(`
			`ssize_t num_bytes_read = 0;`
			`int32_t drm = 0;`
			`bool usesDRM = (mFormat->findInt32(kKeyIsDRM, &drm) && drm != 0);`
			`- if (usesDRM) {`
			`+ if (usesDRM && size <= mBuffer->size()) {`
			`num_bytes_read =`
			`mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size);`
			`- } else {`
			`+ } else if (!usesDRM && size <= mSrcBufferSize) {`
			`num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);`
			`+ } else {`
			`+ // The sample is larger than the expected maximum size. Fall through and let the failure`
			`+ // be handled by the following if.`
			`+ android_errorWriteLog(0x534e4554, "188893559");`
			`}`

			`if (num_bytes_read < (ssize_t)size) {`