Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7df01786 authored by Santiago Seifert's avatar Santiago Seifert
Browse files

Fix buffer leak in MPEG4Extractor 

Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: Ia7d851f1f5f4f3025f4e2e239c7e1ef9bc6f7b0e
parent 4a5c8c85

media/extractors/mp4/MPEG4Extractor.cpp

+6 −5
Original line number Diff line number Diff line
@@ -6471,17 +6471,18 @@ media_status_t MPEG4Source::read( 
        // Whole NAL units are returned but each fragment is prefixed by

        // the start code (0x00 00 00 01).

        ssize_t num_bytes_read = 0;

        if (mSrcBufferSize < size) {

        bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize;

        if (mSrcBufferFitsDataToRead) {

          num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);

        } else {

          // We are trying to read a sample larger than the expected max sample size.

          return AMEDIA_ERROR_MALFORMED;

          // Fall through and let the failure be handled by the following if.

        }

        num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);



        if (num_bytes_read < (ssize_t)size) {

            mBuffer->release();

            mBuffer = NULL;



            return AMEDIA_ERROR_IO;

            return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED;

        }



        uint8_t *dstData = (uint8_t *)mBuffer->data();