Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c774f164 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Gerrit Code Review
Browse files

Fix integer underflow in covr MPEG4 processing 

When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b
(cherry picked from commit b1f29294)
parent 66f43fc5

media/libstagefright/MPEG4Extractor.cpp

+4 −0
Original line number Diff line number Diff line
@@ -2158,6 +2158,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
                    return ERROR_IO;

                }

                const int kSkipBytesOfDataBox = 16;

                if (chunk_data_size <= kSkipBytesOfDataBox) {

                    return ERROR_MALFORMED;

                }



                mFileMetaData->setData(

                    kKeyAlbumArt, MetaData::TYPE_NONE,

                    buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);