Merge "add trunksize as restriction for function parseClearEncryptedSizes()" into rvc-dev

commit: e8ca692b95846034bb3edbde60eecaa9a28a2d24 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Wed Mar 25 18:29:38 2020 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Wed Mar 25 18:29:38 2020 +0000
tree: 9cc740a1dfff5824ed3a5e5d7766b1aa9b1f5d3a
parent: 06675ff30f63323905ff18c3c4e0d34a9fee4c60 [diff]
parent: bce9a57e0f8c5fb891accd39a88fec7720b98c46 [diff]
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 3aba3cd..c493594 100755
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp

@@ -165,8 +165,9 @@
     status_t parseTrackFragmentRun(off64_t offset, off64_t size);
     status_t parseSampleAuxiliaryInformationSizes(off64_t offset, off64_t size);
     status_t parseSampleAuxiliaryInformationOffsets(off64_t offset, off64_t size);
-    status_t parseClearEncryptedSizes(off64_t offset, bool isSubsampleEncryption, uint32_t flags);
-    status_t parseSampleEncryption(off64_t offset);
+    status_t parseClearEncryptedSizes(
+        off64_t offset, bool isSubsampleEncryption, uint32_t flags, off64_t size);
+    status_t parseSampleEncryption(off64_t offset, off64_t size);
     // returns -1 for invalid layer ID
     int32_t parseHEVCLayerId(const uint8_t *data, size_t size);
 
@@ -5184,7 +5185,7 @@
 
         case FOURCC("senc"): {
             status_t err;
-            if ((err = parseSampleEncryption(data_offset)) != OK) {
+            if ((err = parseSampleEncryption(data_offset, chunk_data_size)) != OK) {
                 return err;
             }
             *offset += chunk_size;
@@ -5376,12 +5377,13 @@
     off64_t drmoffset = mCurrentSampleInfoOffsets[0]; // from moof
 
     drmoffset += mCurrentMoofOffset;
+    size -= mCurrentMoofOffset;
 
-    return parseClearEncryptedSizes(drmoffset, false, 0);
+    return parseClearEncryptedSizes(drmoffset, false, 0, size);
 }
 
 status_t MPEG4Source::parseClearEncryptedSizes(
-        off64_t offset, bool isSubsampleEncryption, uint32_t flags) {
+        off64_t offset, bool isSubsampleEncryption, uint32_t flags, off64_t size) {
 
     int32_t ivlength;
     if (!AMediaFormat_getInt32(mFormat, AMEDIAFORMAT_KEY_CRYPTO_DEFAULT_IV_SIZE, &ivlength)) {
@@ -5396,10 +5398,14 @@
 
     uint32_t sampleCount = mCurrentSampleInfoCount;
     if (isSubsampleEncryption) {
+        if(size < 4){
+            return ERROR_MALFORMED;
+        }
         if (!mDataSource->getUInt32(offset, &sampleCount)) {
             return ERROR_IO;
         }
         offset += 4;
+        size -= 4;
     }
 
     // read CencSampleAuxiliaryDataFormats
@@ -5414,11 +5420,15 @@
         }
 
         memset(smpl->iv, 0, 16);
+        if(size < ivlength){
+            return ERROR_MALFORMED;
+        }
         if (mDataSource->readAt(offset, smpl->iv, ivlength) != ivlength) {
             return ERROR_IO;
         }
 
         offset += ivlength;
+        size -= ivlength;
 
         bool readSubsamples;
         if (isSubsampleEncryption) {
@@ -5433,13 +5443,20 @@
 
         if (readSubsamples) {
             uint16_t numsubsamples;
+            if(size < 2){
+                return ERROR_MALFORMED;
+            }
             if (!mDataSource->getUInt16(offset, &numsubsamples)) {
                 return ERROR_IO;
             }
             offset += 2;
+            size -= 2;
             for (size_t j = 0; j < numsubsamples; j++) {
                 uint16_t numclear;
                 uint32_t numencrypted;
+                if(size < 6){
+                    return ERROR_MALFORMED;
+                }
                 if (!mDataSource->getUInt16(offset, &numclear)) {
                     return ERROR_IO;
                 }
@@ -5448,6 +5465,7 @@
                     return ERROR_IO;
                 }
                 offset += 4;
+                size -= 6;
                 smpl->clearsizes.add(numclear);
                 smpl->encryptedsizes.add(numencrypted);
             }
@@ -5460,12 +5478,15 @@
     return OK;
 }
 
-status_t MPEG4Source::parseSampleEncryption(off64_t offset) {
+status_t MPEG4Source::parseSampleEncryption(off64_t offset, off64_t chunk_data_size) {
     uint32_t flags;
+    if(chunk_data_size < 4) {
+        return ERROR_MALFORMED;
+    }
     if (!mDataSource->getUInt32(offset, &flags)) { // actually version + flags
         return ERROR_MALFORMED;
     }
-    return parseClearEncryptedSizes(offset + 4, true, flags);
+    return parseClearEncryptedSizes(offset + 4, true, flags, chunk_data_size - 4);
 }
 
 status_t MPEG4Source::parseTrackFragmentHeader(off64_t offset, off64_t size) {
commit	e8ca692b95846034bb3edbde60eecaa9a28a2d24	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Wed Mar 25 18:29:38 2020 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Wed Mar 25 18:29:38 2020 +0000
tree	9cc740a1dfff5824ed3a5e5d7766b1aa9b1f5d3a
parent	06675ff30f63323905ff18c3c4e0d34a9fee4c60 [diff]
parent	bce9a57e0f8c5fb891accd39a88fec7720b98c46 [diff]