Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bffcdca8 authored by Sohail Nagaraj's avatar Sohail Nagaraj Committed by Sohail Nagaraj (xWF)
Browse files

Prevent OOB write in MPEG4Writer::writeIpcoBox() 

Add a check to ensure that the size of the csd is atleast
23 bytes before creating the hvcC box

Bug: 348525643
Bug: 347125598

Test: ./libstagefright_writer_fuzzer
Change-Id: I6d0b526566c368da1880d9af333965ab54dfcefa
parent 32325124

media/libstagefright/MPEG4Writer.cpp

+5 −0
Original line number Diff line number Diff line
@@ -2535,6 +2535,11 @@ void MPEG4Writer::Track::addItemOffsetAndSize(off64_t offset, size_t size, bool 
    bool hasGrid = (mTileWidth > 0);



    if (mProperties.empty()) {

        // Min length of hvcC CSD is 23. (ISO/IEC 14496-15:2014 Chapter 8.4.1.1.2)

        if (mIsHeif && mCodecSpecificDataSize < 23) {

            ALOGE("hvcC csd size is less than 23 bytes");

            return;

        }

        mProperties.push_back(mOwner->addProperty_l({

            .type = static_cast<uint32_t>(mIsAvif ?

                  FOURCC('a', 'v', '1', 'C') :