Fix heap-buffer-overflow in MPEG4Extractor
Caused by the extractor assuming that sample size will never exceed
the declared max input size (as in AMEDIAFORMAT_KEY_MAX_INPUT_SIZE).
Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 621f0e12017a2d057aeaa1937e979ce61b2ac3cf)
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 7b3b81d..0873c5f 100644
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -135,6 +135,7 @@
bool mWantsNALFragments;
+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;
bool mIsHeif;
@@ -3862,6 +3863,7 @@
mGroup(NULL),
mBuffer(NULL),
mWantsNALFragments(false),
+ mSrcBufferSize(0),
mSrcBuffer(NULL),
mIsHeif(itemTable != NULL),
mItemTable(itemTable) {
@@ -3979,6 +3981,7 @@
mGroup = NULL;
return ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;
mStarted = true;
@@ -3995,6 +3998,7 @@
mBuffer = NULL;
}
+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;
@@ -4913,11 +4917,15 @@
ssize_t num_bytes_read = 0;
int32_t drm = 0;
bool usesDRM = (mFormat.findInt32(kKeyIsDRM, &drm) && drm != 0);
- if (usesDRM) {
+ if (usesDRM && size <= mBuffer->size()) {
num_bytes_read =
mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size);
- } else {
+ } else if (!usesDRM && size <= mSrcBufferSize) {
num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // The sample is larger than the expected maximum size. Fall through and let the failure
+ // be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
}
if (num_bytes_read < (ssize_t)size) {