Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef4ce157 authored by Marco Nelissen's avatar Marco Nelissen
Browse files

Fix OOB access in mpeg4/h263 decoder 

The decoder does not support an increase in frame width, and
would exceed its buffer if the width increased mid-stream.
There was an existing check to prevent the total frame size
(width*height) from increasing, but in fact the decoder also
does not even support a width increase, even if the height
decreases correspondingly.

Bug: 136175447
Bug: 136173699
Test: manual
Change-Id: Ic2d28bb0503635dadeb69ba3be9412d58684e910
parent 7802c68a

media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp

+8 −0
Original line number Original line Diff line number Diff line
@@ -1355,6 +1355,14 @@ PV_STATUS DecodeShortHeader(VideoDecData *video, Vop *currVop) 
            int tmpHeight = (tmpDisplayHeight + 15) & -16;

            int tmpHeight = (tmpDisplayHeight + 15) & -16;

            int tmpWidth = (tmpDisplayWidth + 15) & -16;

            int tmpWidth = (tmpDisplayWidth + 15) & -16;





            if (tmpWidth > video->width)

            {

                // while allowed by the spec, this decoder does not actually

                // support an increase in size.

                ALOGE("width increase not supported");

                status = PV_FAIL;

                goto return_point;

            }

            if (tmpHeight * tmpWidth > video->size)

            if (tmpHeight * tmpWidth > video->size)

            {

            {

                // This is just possibly "b/37079296".

                // This is just possibly "b/37079296".