Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 391d2f67 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge tag 'android-security-11.0.0_r50' into staging/lineage-18.1_merge-android-security-11.0.0_r50 

Android security 11.0.0 release 50

* tag 'android-security-11.0.0_r50':
  C2SoftMp3Dec: fix OOB write in output buffer
  Fix heap-buffer-overflow in MPEG4Extractor am: d13a4efc

Change-Id: I8b0a805f7fe2da7bd7c8c90e1ca6aa7ccf83b1fb
parents c183b3ba 4258c3dc

media/codec2/components/mp3/C2SoftMp3Dec.cpp

+1 −1
Original line number Diff line number Diff line
@@ -405,7 +405,7 @@ void C2SoftMP3::process( 
        mConfig->inputBufferCurrentLength = (inSize - inPos);

        mConfig->inputBufferMaxLength = 0;

        mConfig->inputBufferUsedLength = 0;

        mConfig->outputFrameSize = (calOutSize - outSize);

        mConfig->outputFrameSize = (calOutSize - outSize) / sizeof(int16_t);

        mConfig->pOutputBuffer = reinterpret_cast<int16_t *> (wView.data() + outSize);



        ERROR_CODE decoderErr;

media/extractors/mp4/MPEG4Extractor.cpp

100755 → 100644
+13 −2
Original line number Diff line number Diff line
@@ -146,6 +146,7 @@ private: 


    MediaBufferHelper *mBuffer;



    size_t mSrcBufferSize;

    uint8_t *mSrcBuffer;



    bool mIsHeif;
@@ -4882,6 +4883,7 @@ MPEG4Source::MPEG4Source( 
      mNALLengthSize(0),

      mStarted(false),

      mBuffer(NULL),

      mSrcBufferSize(0),

      mSrcBuffer(NULL),

      mIsHeif(itemTable != NULL),

      mItemTable(itemTable),
@@ -5060,6 +5062,7 @@ media_status_t MPEG4Source::start() { 
        // file probably specified a bad max size

        return AMEDIA_ERROR_MALFORMED;

    }

    mSrcBufferSize = max_size;



    mStarted = true;
@@ -5076,6 +5079,7 @@ media_status_t MPEG4Source::stop() { 
        mBuffer = NULL;

    }



    mSrcBufferSize = 0;

    delete[] mSrcBuffer;

    mSrcBuffer = NULL;
@@ -6242,13 +6246,20 @@ media_status_t MPEG4Source::read( 
        // Whole NAL units are returned but each fragment is prefixed by

        // the start code (0x00 00 00 01).

        ssize_t num_bytes_read = 0;

        bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize;

        if (mSrcBufferFitsDataToRead) {

          num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);

        } else {

          // We are trying to read a sample larger than the expected max sample size.

          // Fall through and let the failure be handled by the following if.

          android_errorWriteLog(0x534e4554, "188893559");

        }



        if (num_bytes_read < (ssize_t)size) {

            mBuffer->release();

            mBuffer = NULL;



            return AMEDIA_ERROR_IO;

            return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED;

        }



        uint8_t *dstData = (uint8_t *)mBuffer->data();