commit 5e751957ba692658b7f67eb03ae5ddb2cd3d970c
author Joshua J. Drake <android-open-source@qoop.org> Wed Apr 08 23:53:10 2015 -0500
committer The Android Automerger <android-build@google.com> Thu Jul 09 14:02:59 2015 -0700
tree d922546ec223bf6442467c9ef9efc6fc7d5646bc
parent 2434839bbd168469f80dd9a22f1328bc81046398

Fix integer underflow in ESDS processing

Several arithmetic operations within parseESDescriptor could underflow, leading
to an out-of-bounds read operation. Ensure that subtractions from 'size' do not
cause it to wrap around.

Bug: 20139950

(cherry picked from commit 07c0f59d6c48874982d2b5c713487612e5af465a)

Change-Id: I377d21051e07ca654ea1f7037120429d3f71924a

media/libstagefright/ESDS.cpp

diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp
index 427bf7b..8fbb57c 100644
--- a/media/libstagefright/ESDS.cpp
+++ b/media/libstagefright/ESDS.cpp
@@ -136,6 +136,8 @@
     --size;
 
     if (streamDependenceFlag) {
+        if (size < 2)
+            return ERROR_MALFORMED;
         offset += 2;
         size -= 2;
     }
@@ -145,11 +147,15 @@
             return ERROR_MALFORMED;
         }
         unsigned URLlength = mData[offset];
+        if (URLlength >= size)
+            return ERROR_MALFORMED;
         offset += URLlength + 1;
         size -= URLlength + 1;
     }
 
     if (OCRstreamFlag) {
+        if (size < 2)
+            return ERROR_MALFORMED;
         offset += 2;
         size -= 2;