Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e8368bdf authored by Ray Essick's avatar Ray Essick Committed by Jessica Wagantall
Browse files

Fix corruption via buffer overflow in mediaserver 

change unbound sprintf() to snprintf() so network-provided values
can't overflow the buffers.

Applicable to all K/L/M/N branches.

CYNGNOS-3235
Bug: 25747670
Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6
(cherry picked from commit b2396a52)
(cherry picked from commit d62e1579)
parent 36e7d402

media/libstagefright/rtsp/ASessionDescription.cpp

+9 −5
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
//#define LOG_NDEBUG 0

#define LOG_TAG "ASessionDescription"

#include <utils/Log.h>

#include <cutils/log.h>



#include "ASessionDescription.h"
@@ -211,12 +212,12 @@ void ASessionDescription::getFormatType( 


    *PT = x;



    char key[20];

    sprintf(key, "a=rtpmap:%lu", x);

    char key[32];

    snprintf(key, sizeof(key), "a=rtpmap:%lu", x);



    CHECK(findAttribute(index, key, desc));



    sprintf(key, "a=fmtp:%lu", x);

    snprintf(key, sizeof(key), "a=fmtp:%lu", x);

    if (!findAttribute(index, key, params)) {

        params->clear();

    }
@@ -228,8 +229,11 @@ bool ASessionDescription::getDimensions( 
    *width = 0;

    *height = 0;



    char key[20];

    sprintf(key, "a=framesize:%lu", PT);

    char key[33];

    snprintf(key, sizeof(key), "a=framesize:%lu", PT);

    if (PT > 9999999) {

        android_errorWriteLog(0x534e4554, "25747670");

    }

    AString value;

    if (!findAttribute(index, key, &value)) {

        return false;