Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f9391b39 authored by Ray Essick's avatar Ray Essick Committed by gitbuildkicker
Browse files

Fix corruption via buffer overflow in mediaserver 

change unbound sprintf() to snprintf() so network-provided values
can't overflow the buffers.

Applicable to all K/L/M/N branches.

Bug: 25747670
Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6
parent 49a847e0

media/libstagefright/rtsp/ASessionDescription.cpp

+9 −5
Original line number Original line Diff line number Diff line
@@ -17,6 +17,7 @@ 
//#define LOG_NDEBUG 0

//#define LOG_NDEBUG 0

#define LOG_TAG "ASessionDescription"

#define LOG_TAG "ASessionDescription"

#include <utils/Log.h>

#include <utils/Log.h>

#include <cutils/log.h>





#include "ASessionDescription.h"

#include "ASessionDescription.h"
@@ -211,12 +212,12 @@ void ASessionDescription::getFormatType( 




    *PT = x;

    *PT = x;





    char key[20];

    char key[32];

    sprintf(key, "a=rtpmap:%lu", x);

    snprintf(key, sizeof(key), "a=rtpmap:%lu", x);





    CHECK(findAttribute(index, key, desc));

    CHECK(findAttribute(index, key, desc));





    sprintf(key, "a=fmtp:%lu", x);

    snprintf(key, sizeof(key), "a=fmtp:%lu", x);

    if (!findAttribute(index, key, params)) {

    if (!findAttribute(index, key, params)) {

        params->clear();

        params->clear();

    }

    }
@@ -228,8 +229,11 @@ bool ASessionDescription::getDimensions( 
    *width = 0;

    *width = 0;

    *height = 0;

    *height = 0;





    char key[20];

    char key[33];

    sprintf(key, "a=framesize:%lu", PT);

    snprintf(key, sizeof(key), "a=framesize:%lu", PT);

    if (PT > 9999999) {

        android_errorWriteLog(0x534e4554, "25747670");

    }

    AString value;

    AString value;

    if (!findAttribute(index, key, &value)) {

    if (!findAttribute(index, key, &value)) {

        return false;

        return false;