SimpleDecodingSource:Prevent OOB write in heap mem am: f3590a1b18 am: b240660c2e am: 247199f370
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/16187628
Change-Id: Ic6650ae6aedcdfb0fd2fb7ee2113bd48683edad6
diff --git a/media/libstagefright/SimpleDecodingSource.cpp b/media/libstagefright/SimpleDecodingSource.cpp
index 771dfea..55aa86b 100644
--- a/media/libstagefright/SimpleDecodingSource.cpp
+++ b/media/libstagefright/SimpleDecodingSource.cpp
@@ -318,18 +318,23 @@
}
size_t cpLen = min(in_buf->range_length(), in_buffer->capacity());
memcpy(in_buffer->base(), (uint8_t *)in_buf->data() + in_buf->range_offset(),
- cpLen );
+ cpLen);
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ cpLen += sizeof(numPageSamples);
+ } else {
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
+ }
}
res = mCodec->queueInputBuffer(
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+ in_ix, 0 /* offset */, cpLen,
timestampUs, 0 /* flags */);
if (res != OK) {
ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);