From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robert Shih <robertshih@google.com>
Date: Mon, 24 Oct 2016 11:38:31 -0700
Subject: [PATCH] FLACExtractor: copy protect mWriteBuffer
Bug: 30895578
AOSP-Change-Id: I4cba36bbe3502678210e5925181683df9726b431
CVE-2017-0592
Change-Id: I9207b68152fd91efe6ace51fb0fae0f2e29961c5
---
media/libstagefright/FLACExtractor.cpp | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/media/libstagefright/FLACExtractor.cpp b/media/libstagefright/FLACExtractor.cpp
index 4dfd86a0b3..82a962bc73 100644
--- a/media/libstagefright/FLACExtractor.cpp
+++ b/media/libstagefright/FLACExtractor.cpp
@@ -77,6 +77,10 @@ class FLACParser : public RefBase {
friend class FLACSource;
public:
+ enum {
+ kMaxChannels = 8,
+ };
+
FLACParser(
const sp<DataSource> &dataSource,
// If metadata pointers aren't provided, we don't fill them
@@ -145,7 +149,7 @@ private:
bool mWriteRequested;
bool mWriteCompleted;
FLAC__FrameHeader mWriteHeader;
- const FLAC__int32 * mWriteBuffer[FLAC__MAX_CHANNELS];
+ FLAC__int32 const * mWriteBuffer[kMaxChannels];
// most recent error reported by libFLAC parser
FLAC__StreamDecoderErrorStatus mErrorStatus;
@@ -329,9 +333,7 @@ FLAC__StreamDecoderWriteStatus FLACParser::writeCallback(
mWriteRequested = false;
// FLAC parser doesn't free or realloc buffer until next frame or finish
mWriteHeader = frame->header;
- for(unsigned channel = 0; channel < frame->header.channels; channel++) {
- mWriteBuffer[channel] = buffer[channel];
- }
+ memmove(mWriteBuffer, buffer, sizeof(const FLAC__int32 * const) * getChannels());
mWriteCompleted = true;
return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE;
} else {
@@ -493,7 +495,7 @@ status_t FLACParser::init()
}
if (mStreamInfoValid) {
// check channel count
- if (getChannels() == 0 || getChannels() > 8) {
+ if (getChannels() == 0 || getChannels() > kMaxChannels) {
ALOGE("unsupported channel count %u", getChannels());
return NO_INIT;
}