Fix heap-buffer-overflow in MPEG4Extractor am: d13a4efc7a am: 3c5de138ed am: 35d835f934
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/15948718
Change-Id: I98e0758f35122b63c0b5e4679f6483021e97a209
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
old mode 100755
new mode 100644
index a976a2b..f157d35
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -146,6 +146,7 @@
MediaBufferHelper *mBuffer;
+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;
bool mIsHeif;
@@ -4882,6 +4883,7 @@
mNALLengthSize(0),
mStarted(false),
mBuffer(NULL),
+ mSrcBufferSize(0),
mSrcBuffer(NULL),
mIsHeif(itemTable != NULL),
mItemTable(itemTable),
@@ -5060,6 +5062,7 @@
// file probably specified a bad max size
return AMEDIA_ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;
mStarted = true;
@@ -5076,6 +5079,7 @@
mBuffer = NULL;
}
+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;
@@ -6242,13 +6246,20 @@
// Whole NAL units are returned but each fragment is prefixed by
// the start code (0x00 00 00 01).
ssize_t num_bytes_read = 0;
- num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize;
+ if (mSrcBufferFitsDataToRead) {
+ num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // We are trying to read a sample larger than the expected max sample size.
+ // Fall through and let the failure be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
+ }
if (num_bytes_read < (ssize_t)size) {
mBuffer->release();
mBuffer = NULL;
- return AMEDIA_ERROR_IO;
+ return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED;
}
uint8_t *dstData = (uint8_t *)mBuffer->data();