Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7c6f217f authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Jon Larimer
Browse files

Prevent integer underflow if size is below 6 

When processing 3GPP metadata, a subtraction operation may underflow and
lead to a rather large linear byteswap operation in the subsequent
framedata decoding code. Bound the 'size' value to prevent this from
occurring.

Bug: 20923261
Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5
parent 4ec8ab47

media/libstagefright/MPEG4Extractor.cpp

+4 −0
Original line number Diff line number Diff line
@@ -2480,6 +2480,10 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept 
        int len16 = 0; // Number of UTF-16 characters



        // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00

        if (size < 6) {

            return ERROR_MALFORMED;

        }



        if (size - 6 >= 4) {

            len16 = ((size - 6) / 2) - 1; // don't include 0x0000 terminator

            framedata = (char16_t *)(buffer + 6);