Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b83c4389 authored by Ian Baker's avatar Ian Baker
Browse files

Fix Unsigned-integer-overflow in MPEG4Extractor 

Caused by the extractor reading unsigned-integer into a
signed-integer.
Also added check of Unsigned-integer-overflow.

Bug: 232242894
Test: Ran the fuzzer using the bug's testcase.
Change-Id: Ibb195ba86e7d68c3f2c43ed6a750b0569b7e7dbe
parent 262c4cb2

media/extractors/mp4/MPEG4Extractor.cpp

+15 −4
Original line number Diff line number Diff line
@@ -5908,12 +5908,18 @@ status_t MPEG4Source::parseTrackFragmentRun(off64_t offset, off64_t size) { 
            return -EINVAL;

        }



        int32_t dataOffsetDelta;

        if (!mDataSource->getUInt32(offset, (uint32_t*)&dataOffsetDelta)) {

        uint32_t dataOffsetDelta;

        if (!mDataSource->getUInt32(offset, &dataOffsetDelta)) {

            return ERROR_MALFORMED;

        }



        dataOffset = mTrackFragmentHeaderInfo.mBaseDataOffset + dataOffsetDelta;

        if (__builtin_add_overflow(

                mTrackFragmentHeaderInfo.mBaseDataOffset, dataOffsetDelta, &dataOffset)) {

            ALOGW("b/232242894 mBaseDataOffset(%" PRIu64 ") + dataOffsetDelta(%u) overflows uint64",

                    mTrackFragmentHeaderInfo.mBaseDataOffset, dataOffsetDelta);

            android_errorWriteLog(0x534e4554, "232242894");

            return ERROR_MALFORMED;

        }



        offset += 4;

        size -= 4;
@@ -6047,7 +6053,12 @@ status_t MPEG4Source::parseTrackFragmentRun(off64_t offset, off64_t size) { 
            return NO_MEMORY;

        }



        dataOffset += sampleSize;

        if (__builtin_add_overflow(dataOffset, sampleSize, &dataOffset)) {

            ALOGW("b/232242894 dataOffset(%" PRIu64 ") + sampleSize(%u) overflows uint64",

                    dataOffset, sampleSize);

            android_errorWriteLog(0x534e4554, "232242894");

            return ERROR_MALFORMED;

        }

    }



    mTrackFragmentHeaderInfo.mDataOffset = dataOffset;