Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 44a74d57 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge tag 'android-security-8.1.0_r84' into staging/lineage-15.1_merge_android-security-8.1.0_r84 

Android security 8.1.0 release 84

* tag 'android-security-8.1.0_r84':
  Fix potential overflow in WAV extractor
  Fix memory overflow in ESQueue

Change-Id: I4d91be4abdf3c4db57c15d921b9259ed9f56f7db
parents 85ea66ec 086d56e6

media/libstagefright/WAVExtractor.cpp

+9 −9
Original line number Diff line number Diff line
@@ -60,7 +60,7 @@ struct WAVSource : public MediaSource { 
            const sp<DataSource> &dataSource,

            const sp<MetaData> &meta,

            uint16_t waveFormat,

            int32_t bitsPerSample,

            uint32_t bitsPerSample,

            off64_t offset, size_t size);



    virtual status_t start(MetaData *params = NULL);
@@ -81,9 +81,9 @@ private: 
    sp<DataSource> mDataSource;

    sp<MetaData> mMeta;

    uint16_t mWaveFormat;

    int32_t mSampleRate;

    int32_t mNumChannels;

    int32_t mBitsPerSample;

    uint32_t mSampleRate;

    uint32_t mNumChannels;

    uint32_t mBitsPerSample;

    off64_t mOffset;

    size_t mSize;

    bool mStarted;
@@ -351,7 +351,7 @@ WAVSource::WAVSource( 
        const sp<DataSource> &dataSource,

        const sp<MetaData> &meta,

        uint16_t waveFormat,

        int32_t bitsPerSample,

        uint32_t bitsPerSample,

        off64_t offset, size_t size)

    : mDataSource(dataSource),

      mMeta(meta),
@@ -363,8 +363,8 @@ WAVSource::WAVSource( 
      mSize(size),

      mStarted(false),

      mGroup(NULL) {

    CHECK(mMeta->findInt32(kKeySampleRate, &mSampleRate));

    CHECK(mMeta->findInt32(kKeyChannelCount, &mNumChannels));

    CHECK(mMeta->findInt32(kKeySampleRate, (int32_t*) &mSampleRate));

    CHECK(mMeta->findInt32(kKeyChannelCount, (int32_t*) &mNumChannels));



    mMeta->setInt32(kKeyMaxInputSize, kMaxFrameSize);

}
@@ -452,8 +452,8 @@ status_t WAVSource::read( 
        mBitsPerSample == 8 ? kMaxFrameSize / 2 : 

        (mBitsPerSample == 24 ? 3*(kMaxFrameSize/3): kMaxFrameSize);



    size_t maxBytesAvailable =

        (mCurrentPos - mOffset >= (off64_t)mSize)

    const size_t maxBytesAvailable =

        (mCurrentPos < mOffset || mCurrentPos - mOffset >= (off64_t)mSize)

            ? 0 : mSize - (mCurrentPos - mOffset);



    if (maxBytesToRead > maxBytesAvailable) {

media/libstagefright/mpeg2ts/ESQueue.cpp

+7 −1
Original line number Diff line number Diff line
@@ -1119,7 +1119,13 @@ sp<ABuffer> ElementaryStreamQueue::dequeueAccessUnitH264() { 
                if (mSampleDecryptor != NULL && (nalType == 1 || nalType == 5)) {

                    uint8_t *nalData = mBuffer->data() + pos.nalOffset;

                    size_t newSize = mSampleDecryptor->processNal(nalData, pos.nalSize);

                    // Note: the data can shrink due to unescaping

                    // Note: the data can shrink due to unescaping, but it can never grow

                    if (newSize > pos.nalSize) {

                        // don't log unless verbose, since this can get called a lot if

                        // the caller is trying to resynchronize

                        ALOGV("expected sample size < %u, got %zu", pos.nalSize, newSize);

                        return NULL;

                    }

                    memcpy(accessUnit->data() + dstOffset + 4,

                            nalData,

                            newSize);