SimpleDecodingSource:Prevent OOB write in heap mem
doRead() doesn't handle situations when received byte do not fit into
input buffer in case of vorbis audio compression. It results in OOB
write in heap memory right after the allocated input buffer. Added
code to copy kKeyValidSamples only if there was enough space.
Otherwise, print a warning log.
Bug: 194105348
Test: post-submit media cts tests
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
(cherry picked from commit 3f3fdc20c97b0eb978bbaf6686e771157251f840)
Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
diff --git a/media/libstagefright/SimpleDecodingSource.cpp b/media/libstagefright/SimpleDecodingSource.cpp
index 771dfea..55aa86b 100644
--- a/media/libstagefright/SimpleDecodingSource.cpp
+++ b/media/libstagefright/SimpleDecodingSource.cpp
@@ -318,18 +318,23 @@
}
size_t cpLen = min(in_buf->range_length(), in_buffer->capacity());
memcpy(in_buffer->base(), (uint8_t *)in_buf->data() + in_buf->range_offset(),
- cpLen );
+ cpLen);
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data().findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ cpLen += sizeof(numPageSamples);
+ } else {
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
+ }
}
res = mCodec->queueInputBuffer(
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+ in_ix, 0 /* offset */, cpLen,
timestampUs, 0 /* flags */);
if (res != OK) {
ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);
