Prevent overflow and out-of-bounds access (3d800be2) · Commits · e / os / android_frameworks_av

media/extractors/mp4/MPEG4Extractor.cpp

+18 −10

Original line number	Diff line number	Diff line
		@@ -6104,9 +6104,13 @@ media_status_t MPEG4Source::read(
		if (newBuffer) {
		if (mIsPcm) {
		// The twos' PCM block reader assumes that all samples has the same size.

		uint32_t samplesToRead = mSampleTable->getLastSampleIndexInChunk()
		- mCurrentSampleIndex + 1;
		uint32_t lastSampleIndexInChunk = mSampleTable->getLastSampleIndexInChunk();
		if (lastSampleIndexInChunk < mCurrentSampleIndex) {
		mBuffer->release();
		mBuffer = nullptr;
		return AMEDIA_ERROR_UNKNOWN;
		}
		uint32_t samplesToRead = lastSampleIndexInChunk - mCurrentSampleIndex + 1;
		if (samplesToRead > kMaxPcmFrameSize) {
		samplesToRead = kMaxPcmFrameSize;
		}
		@@ -6116,12 +6120,16 @@ media_status_t MPEG4Source::read(
		mSampleTable->getLastSampleIndexInChunk());

		size_t totalSize = samplesToRead * size;
		if (mBuffer->size() < totalSize) {
		mBuffer->release();
		mBuffer = nullptr;
		return AMEDIA_ERROR_UNKNOWN;
		}
		uint8_t* buf = (uint8_t *)mBuffer->data();
		ssize_t bytesRead = mDataSource->readAt(offset, buf, totalSize);
		if (bytesRead < (ssize_t)totalSize) {
		mBuffer->release();
		mBuffer = NULL;

		return AMEDIA_ERROR_IO;
		}