Merge "C2HIDL: Prevent OOB read in ParseParamsBlob" (9bdcf8b0) · Commits · e / os / android_frameworks_av

media/codec2/hidl/1.0/utils/types.cpp

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1613,6 +1613,7 @@ bool parseParamsBlob(std::vector<C2Param> params, const hidl_vec<uint8_t> &blo
	// assuming blob is const here		// assuming blob is const here
	size_t size = blob.size();		size_t size = blob.size();
	size_t ix = 0;		size_t ix = 0;
			size_t old_ix = 0;
	const uint8_t *data = blob.data();		const uint8_t *data = blob.data();
	C2Param *p = nullptr;		C2Param *p = nullptr;

	@@ -1620,8 +1621,13 @@ bool parseParamsBlob(std::vector<C2Param> params, const hidl_vec<uint8_t> &blo
	p = C2ParamUtils::ParseFirst(data + ix, size - ix);		p = C2ParamUtils::ParseFirst(data + ix, size - ix);
	if (p) {		if (p) {
	params->emplace_back(p);		params->emplace_back(p);
			old_ix = ix;
	ix += p->size();		ix += p->size();
	ix = align(ix, PARAMS_ALIGNMENT);		ix = align(ix, PARAMS_ALIGNMENT);
			if (ix <= old_ix \|\| ix > size) {
			android_errorWriteLog(0x534e4554, "238083570");
			break;
			}
	}		}
	} while (p);		} while (p);