commit 2ba16f6134bd67e07ea0daa29aac5adb3155872b
author Robert Shih <robertshih@google.com> Sat Mar 21 23:04:56 2020 -0700
committer Robert Shih <robertshih@google.com> Sat Mar 21 23:12:35 2020 -0700
tree 3d271c319481906b679fcb08e18ad536d4dcd2f6
parent 01102840bc362208e1ec2e8d50e10f460af158f1

rtsp: fix integer overflow caused by malformed packets

Bug: 123940919
Test: adb shell am start -a android.intent.action.VIEW \
  -n com.google.android.apps.photos/.pager.HostPhotoPagerActivity \
  -t video/'*' -d rtsp://<rtsp_server2.py.host>/a.mp4
Change-Id: I2ef55d218e91aa4134150895ccf49ff81bee5891

media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp

diff --git a/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp b/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp
index 1e434cb..9df3508 100644
--- a/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp
+++ b/media/libstagefright/rtsp/AMPEG4ElementaryAssembler.cpp
@@ -338,6 +338,12 @@
             ABitReader bits(buffer->data() + offset, buffer->size() - offset);
 
             unsigned auxSize = bits.getBits(mAuxiliaryDataSizeLength);
+            if (buffer->size() < auxSize) {
+                ALOGE("b/123940919 auxSize %u", auxSize);
+                android_errorWriteLog(0x534e4554, "123940919");
+                queue->erase(queue->begin());
+                return MALFORMED_PACKET;
+            }
 
             offset += (mAuxiliaryDataSizeLength + auxSize + 7) / 8;
         }
@@ -346,6 +352,12 @@
              it != headers.end(); ++it) {
             const AUHeader &header = *it;
 
+            if (buffer->size() < header.mSize) {
+                ALOGE("b/123940919 AU_size %u", header.mSize);
+                android_errorWriteLog(0x534e4554, "123940919");
+                queue->erase(queue->begin());
+                return MALFORMED_PACKET;
+            }
             if (buffer->size() < offset + header.mSize) {
                 return MALFORMED_PACKET;
             }