commit 7df01786de74375f2b6a271d7d1a2b470249c3be
author Santiago Seifert <aquilescanta@google.com> Fri Sep 03 13:06:22 2021 +0100
committer Santiago Seifert <aquilescanta@google.com> Fri Sep 03 13:06:22 2021 +0100
tree 707c1c50e0d4048a469f445d785b9ee21c8412d4
parent 4a5c8c85a7aba6c251b509f0e97d338894217a92

Fix buffer leak in MPEG4Extractor

Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: Ia7d851f1f5f4f3025f4e2e239c7e1ef9bc6f7b0e

media/extractors/mp4/MPEG4Extractor.cpp

diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 252a497..9e4fbd5 100644
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -6471,17 +6471,18 @@
         // Whole NAL units are returned but each fragment is prefixed by
         // the start code (0x00 00 00 01).
         ssize_t num_bytes_read = 0;
-        if (mSrcBufferSize < size) {
+        bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize;
+        if (mSrcBufferFitsDataToRead) {
+          num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+        } else {
           // We are trying to read a sample larger than the expected max sample size.
-          return AMEDIA_ERROR_MALFORMED;
+          // Fall through and let the failure be handled by the following if.
         }
-        num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
 
         if (num_bytes_read < (ssize_t)size) {
             mBuffer->release();
             mBuffer = NULL;
-
-            return AMEDIA_ERROR_IO;
+            return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED;
         }
 
         uint8_t *dstData = (uint8_t *)mBuffer->data();