Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 68f67ef6 authored by Ray Essick's avatar Ray Essick Committed by gitbuildkicker
Browse files

Fix corruption via buffer overflow in mediaserver 

change unbound sprintf() to snprintf() so network-provided values
can't overflow the buffers.

Applicable to all K/L/M/N branches.

Bug: 25747670
Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6
parent c2639afa

media/libstagefright/rtsp/ASessionDescription.cpp

+9 −5
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
//#define LOG_NDEBUG 0

#define LOG_TAG "ASessionDescription"

#include <utils/Log.h>

#include <cutils/log.h>



#include "ASessionDescription.h"
@@ -211,12 +212,12 @@ void ASessionDescription::getFormatType( 


    *PT = x;



    char key[20];

    sprintf(key, "a=rtpmap:%lu", x);

    char key[32];

    snprintf(key, sizeof(key), "a=rtpmap:%lu", x);



    CHECK(findAttribute(index, key, desc));



    sprintf(key, "a=fmtp:%lu", x);

    snprintf(key, sizeof(key), "a=fmtp:%lu", x);

    if (!findAttribute(index, key, params)) {

        params->clear();

    }
@@ -228,8 +229,11 @@ bool ASessionDescription::getDimensions( 
    *width = 0;

    *height = 0;



    char key[20];

    sprintf(key, "a=framesize:%lu", PT);

    char key[33];

    snprintf(key, sizeof(key), "a=framesize:%lu", PT);

    if (PT > 9999999) {

        android_errorWriteLog(0x534e4554, "25747670");

    }

    AString value;

    if (!findAttribute(index, key, &value)) {

        return false;