Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f3590a1b authored by Gopalakrishnan Nallasamy's avatar Gopalakrishnan Nallasamy
Browse files

SimpleDecodingSource:Prevent OOB write in heap mem 

doRead() doesn't handle situations when received byte do not fit into
input buffer in case of vorbis audio compression. It results in OOB
write in heap memory right after the allocated input buffer. Added
code to copy kKeyValidSamples only if there was enough space.
Otherwise, print a warning log.

Bug: 194105348

Test: post-submit media cts tests
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
(cherry picked from commit a625b40e)
parent d13a4efc

media/libstagefright/SimpleDecodingSource.cpp

+8 −3
Original line number Diff line number Diff line
@@ -324,11 +324,16 @@ status_t SimpleDecodingSource::doRead( 
                    if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {

                        numPageSamples = -1;

                    }

                    if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {

                        memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));

                        cpLen += sizeof(numPageSamples);

                    } else {

                        ALOGW("Didn't have enough space to copy kKeyValidSamples");

                    }

                }



                res = mCodec->queueInputBuffer(

                        in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),

                        in_ix, 0 /* offset */, cpLen,

                        timestampUs, 0 /* flags */);

                if (res != OK) {

                    ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);