Fix heap-buffer-overflow in MPEG4Extractor am: d13a4efc7a am: 3c5de138ed
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/15948718
Change-Id: I01d657fc6769e9521594e6195e18292e07960779
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
old mode 100755
new mode 100644
index 485c0cc..26205ad
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -141,6 +141,7 @@
MediaBufferHelper *mBuffer;
+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;
bool mIsHeif;
@@ -4670,6 +4671,7 @@
mNALLengthSize(0),
mStarted(false),
mBuffer(NULL),
+ mSrcBufferSize(0),
mSrcBuffer(NULL),
mIsHeif(itemTable != NULL),
mItemTable(itemTable),
@@ -4825,6 +4827,7 @@
// file probably specified a bad max size
return AMEDIA_ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;
mStarted = true;
@@ -4841,6 +4844,7 @@
mBuffer = NULL;
}
+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;
@@ -5927,13 +5931,20 @@
// Whole NAL units are returned but each fragment is prefixed by
// the start code (0x00 00 00 01).
ssize_t num_bytes_read = 0;
- num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize;
+ if (mSrcBufferFitsDataToRead) {
+ num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // We are trying to read a sample larger than the expected max sample size.
+ // Fall through and let the failure be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
+ }
if (num_bytes_read < (ssize_t)size) {
mBuffer->release();
mBuffer = NULL;
- return AMEDIA_ERROR_IO;
+ return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED;
}
uint8_t *dstData = (uint8_t *)mBuffer->data();