Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b3397b9e authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Fix for heap buffer overflow issue flagged by fuzzer test." into tm-dev am: c6acd02d 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/24296967



Change-Id: I8c2462cdafdd040171465442168e3e3882f662dc
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents dedc9978 c6acd02d

media/mtp/MtpPacket.cpp

+31 −9
Original line number Original line Diff line number Diff line
@@ -92,25 +92,47 @@ void MtpPacket::copyFrom(const MtpPacket& src) { 
}

}





uint16_t MtpPacket::getUInt16(int offset) const {

uint16_t MtpPacket::getUInt16(int offset) const {

    if ((unsigned long)(offset+2) <= mBufferSize) {

        return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset];

        return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset];

    }

    }

    else {

        ALOGE("offset for buffer read is greater than buffer size!");

        abort();

    }

}





uint32_t MtpPacket::getUInt32(int offset) const {

uint32_t MtpPacket::getUInt32(int offset) const {

    if ((unsigned long)(offset+4) <= mBufferSize) {

        return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) |

        return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) |

               ((uint32_t)mBuffer[offset + 1] << 8)  | (uint32_t)mBuffer[offset];

               ((uint32_t)mBuffer[offset + 1] << 8)  | (uint32_t)mBuffer[offset];

    }

    }

    else {

        ALOGE("offset for buffer read is greater than buffer size!");

        abort();

    }

}





void MtpPacket::putUInt16(int offset, uint16_t value) {

void MtpPacket::putUInt16(int offset, uint16_t value) {

    if ((unsigned long)(offset+2) <= mBufferSize) {

        mBuffer[offset++] = (uint8_t)(value & 0xFF);

        mBuffer[offset++] = (uint8_t)(value & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);

    }

    }

    else {

        ALOGE("offset for buffer write is greater than buffer size!");

    }

}





void MtpPacket::putUInt32(int offset, uint32_t value) {

void MtpPacket::putUInt32(int offset, uint32_t value) {

    if ((unsigned long)(offset+4) <= mBufferSize) {

        mBuffer[offset++] = (uint8_t)(value & 0xFF);

        mBuffer[offset++] = (uint8_t)(value & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF);

    }

    }

    else {

        ALOGE("offset for buffer write is greater than buffer size!");

    }

}





uint16_t MtpPacket::getContainerCode() const {

uint16_t MtpPacket::getContainerCode() const {

    return getUInt16(MTP_CONTAINER_CODE_OFFSET);

    return getUInt16(MTP_CONTAINER_CODE_OFFSET);