Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b3768224 authored by Shruti Bihani's avatar Shruti Bihani
Browse files

Fix for heap buffer overflow issue flagged by fuzzer test. 

OOB write occurs when a value is assigned to a buffer index which is greater than the buffer size. Adding a check on buffer bounds fixes the issue.

Similar checks have been added wherever applicable on other such methods of the class.

Bug: 243463593
Test: Build mtp_packet_fuzzer and run on the target device
Change-Id: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b
Merged-In: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b
(cherry picked from commit a669e34b)
parent c2968abe

media/mtp/MtpPacket.cpp

+31 −9
Original line number Diff line number Diff line
@@ -92,25 +92,47 @@ void MtpPacket::copyFrom(const MtpPacket& src) { 
}



uint16_t MtpPacket::getUInt16(int offset) const {

    if ((unsigned long)(offset+2) <= mBufferSize) {

        return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset];

    }

    else {

        ALOGE("offset for buffer read is greater than buffer size!");

        abort();

    }

}



uint32_t MtpPacket::getUInt32(int offset) const {

    if ((unsigned long)(offset+4) <= mBufferSize) {

        return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) |

               ((uint32_t)mBuffer[offset + 1] << 8)  | (uint32_t)mBuffer[offset];

    }

    else {

        ALOGE("offset for buffer read is greater than buffer size!");

        abort();

    }

}



void MtpPacket::putUInt16(int offset, uint16_t value) {

    if ((unsigned long)(offset+2) <= mBufferSize) {

        mBuffer[offset++] = (uint8_t)(value & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);

    }

    else {

        ALOGE("offset for buffer write is greater than buffer size!");

    }

}



void MtpPacket::putUInt32(int offset, uint32_t value) {

    if ((unsigned long)(offset+4) <= mBufferSize) {

        mBuffer[offset++] = (uint8_t)(value & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF);

        mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF);

    }

    else {

        ALOGE("offset for buffer write is greater than buffer size!");

    }

}



uint16_t MtpPacket::getContainerCode() const {

    return getUInt16(MTP_CONTAINER_CODE_OFFSET);