Extra sanity checks on sample size and resolution

Instead of rejecting the samples later when they don't fit in the buffer, reject the entire file early. Bug: 22882938 Change-Id: I748153b0e9e827e3f2526468756295b4b5000de6 (cherry picked from commit beef7e5)
android-security · Jun 7, 2016 · 59aed18 · 59aed18
1 parent 3b7cb64
commit 59aed18
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
@@ -1383,15 +1383,27 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 // each chunk originally prefixed with a 2 byte length will
                 // have a 4 byte header (0x00 0x00 0x00 0x01) after conversion,
                 // and thus will grow by 2 bytes per chunk.
+                if (max_size > SIZE_MAX - 10 * 2) {
+                    ALOGE("max sample size too big: %zu", max_size);
+                    return ERROR_MALFORMED;
+                }
                 mLastTrack->meta->setInt32(kKeyMaxInputSize, max_size + 10 * 2);
             } else {
                 // No size was specified. Pick a conservatively large size.
-                int32_t width, height;
+                uint32_t width, height;
-                if (!mLastTrack->meta->findInt32(kKeyWidth, &width) ||
+                if (!mLastTrack->meta->findInt32(kKeyWidth, (int32_t*)&width) ||
-                    !mLastTrack->meta->findInt32(kKeyHeight, &height)) {
+                    !mLastTrack->meta->findInt32(kKeyHeight,(int32_t*) &height)) {
                     ALOGE("No width or height, assuming worst case 1080p");
                     width = 1920;
                     height = 1080;
+                } else {
+                    // A resolution was specified, check that it's not too big. The values below
+                    // were chosen so that the calculations below don't cause overflows, they're
+                    // not indicating that resolutions up to 32kx32k are actually supported.
+                    if (width > 32768 || height > 32768) {
+                        ALOGE("can't support %u x %u video", width, height);
+                        return ERROR_MALFORMED;
+                    }
                 }
 
                 const char *mime;