Fix corruption via buffer overflow in mediaserver change unbound sprintf() to snprintf() so network-provided values can't overflow the buffers. Applicable to all K/L/M/N branches. Bug: 25747670 Change-Id: Id6a5120c2d08a6fbbd47deffb680ecf82015f4f6
diff --git a/media/libstagefright/rtsp/ASessionDescription.cpp b/media/libstagefright/rtsp/ASessionDescription.cpp index 98498e9..47573c3 100644 --- a/media/libstagefright/rtsp/ASessionDescription.cpp +++ b/media/libstagefright/rtsp/ASessionDescription.cpp
@@ -17,6 +17,7 @@ //#define LOG_NDEBUG 0 #define LOG_TAG "ASessionDescription" #include <utils/Log.h> +#include <cutils/log.h> #include "ASessionDescription.h" @@ -211,12 +212,12 @@ *PT = x; - char key[20]; - sprintf(key, "a=rtpmap:%lu", x); + char key[32]; + snprintf(key, sizeof(key), "a=rtpmap:%lu", x); CHECK(findAttribute(index, key, desc)); - sprintf(key, "a=fmtp:%lu", x); + snprintf(key, sizeof(key), "a=fmtp:%lu", x); if (!findAttribute(index, key, params)) { params->clear(); } @@ -228,8 +229,11 @@ *width = 0; *height = 0; - char key[20]; - sprintf(key, "a=framesize:%lu", PT); + char key[33]; + snprintf(key, sizeof(key), "a=framesize:%lu", PT); + if (PT > 9999999) { + android_errorWriteLog(0x534e4554, "25747670"); + } AString value; if (!findAttribute(index, key, &value)) { return false;