Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit c980a015 authored by Kevin F. Haggerty's avatar Kevin F. Haggerty
Browse files

Merge tag 'android-security-11.0.0_r51' into staging/lineage-18.1_merge-android-security-11.0.0_r51 

Android security 11.0.0 release 51

* tag 'android-security-11.0.0_r51':
  Safetynet logging for b/204445255
  Better buffer-overrun prevention
  SimpleDecodingSource:Prevent OOB write in heap mem

Change-Id: I9035708c0ac14ac0a2179253518b102a019539f2
parents 391d2f67 6f26167e

media/libmediametrics/include/media/MediaMetricsItem.h

+6 −5
Original line number Diff line number Diff line
@@ -27,6 +27,7 @@ 
#include <variant>



#include <binder/Parcel.h>

#include <log/log.h>

#include <utils/Errors.h>

#include <utils/Timers.h> // nsecs_t
@@ -466,16 +467,16 @@ protected: 
    template <> // static

    status_t extract(std::string *val, const char **bufferpptr, const char *bufferptrmax) {

        const char *ptr = *bufferpptr;

        while (*ptr != 0) {

        do {

            if (ptr >= bufferptrmax) {

                ALOGE("%s: buffer exceeded", __func__);

                android_errorWriteLog(0x534e4554, "204445255");

                return BAD_VALUE;

            }

            ++ptr;

        }

        const size_t size = (ptr - *bufferpptr) + 1;

        } while (*ptr++ != 0);

        // ptr is terminator+1, == bufferptrmax if we finished entire buffer

        *val = *bufferpptr;

        *bufferpptr += size;

        *bufferpptr = ptr;

        return NO_ERROR;

    }

    template <> // static

media/libstagefright/SimpleDecodingSource.cpp

+8 −3
Original line number Diff line number Diff line
@@ -325,11 +325,16 @@ status_t SimpleDecodingSource::doRead( 
                    if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {

                        numPageSamples = -1;

                    }

                    if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {

                        memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));

                        cpLen += sizeof(numPageSamples);

                    } else {

                        ALOGW("Didn't have enough space to copy kKeyValidSamples");

                    }

                }



                res = mCodec->queueInputBuffer(

                        in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),

                        in_ix, 0 /* offset */, cpLen,

                        timestampUs, 0 /* flags */);

                if (res != OK) {

                    ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);