Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6e7e30d4 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by The Android Automerger
Browse files

Fix integer underflow in covr MPEG4 processing 

When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b
parent b9f68d99

media/libstagefright/MPEG4Extractor.cpp

+4 −0
Original line number Diff line number Diff line
@@ -1934,6 +1934,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                    return ERROR_IO;

                }

                const int kSkipBytesOfDataBox = 16;

                if (chunk_data_size <= kSkipBytesOfDataBox) {

                    return ERROR_MALFORMED;

                }



                mFileMetaData->setData(

                    kKeyAlbumArt, MetaData::TYPE_NONE,

                    buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);