Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix integer underflow in covr MPEG4 processing
When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b
  • Loading branch information
jduck authored and ciwrl committed Jul 14, 2015
1 parent c50f5a2 commit 0c3e1ca
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions media/libstagefright/MPEG4Extractor.cpp
Expand Up @@ -2006,6 +2006,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
return ERROR_IO;
}
const int kSkipBytesOfDataBox = 16;
if (chunk_data_size <= kSkipBytesOfDataBox) {
return ERROR_MALFORMED;
}

mFileMetaData->setData(
kKeyAlbumArt, MetaData::TYPE_NONE,
buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
Expand Down

0 comments on commit 0c3e1ca

Please sign in to comment.