Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4a492bf2 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Lajos Molnar
Browse files

Fix integer underflow in covr MPEG4 processing 

When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b
parent 0e27e080

media/libstagefright/MPEG4Extractor.cpp

+4 −0
Original line number Diff line number Diff line
@@ -1758,6 +1758,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                    return ERROR_IO;

                }

                const int kSkipBytesOfDataBox = 16;

                if (chunk_data_size <= kSkipBytesOfDataBox) {

                    return ERROR_MALFORMED;

                }



                mFileMetaData->setData(

                    kKeyAlbumArt, MetaData::TYPE_NONE,

                    buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);