OpusHeader: Fix integer overflow in GetOpusHeaderBuffers unified CSD parsing now checks for valid size of CSD Bug: 142861738 Test: poc in bug Test: atest android.media.cts.DecoderTest Change-Id: Iff742d2fdf4139bab7b5f378c1742ef52c0bbc78 Merged-In: Iff742d2fdf4139bab7b5f378c1742ef52c0bbc78

commit: 6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260 [log] [tgz]
author: Harish Mahendrakar <harish.mahendrakar@ittiam.com> Mon Oct 21 14:43:26 2019 -0700
committer: Bryan Ferris <bferris@google.com> Wed Feb 26 10:07:56 2020 -0800
tree: fc4cb33ac948b0257d7558ff95adde5d0db0e7fc
parent: 58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d [diff]
diff --git a/media/libstagefright/foundation/OpusHeader.cpp b/media/libstagefright/foundation/OpusHeader.cpp
index 513e41f..f5687e0 100644
--- a/media/libstagefright/foundation/OpusHeader.cpp
+++ b/media/libstagefright/foundation/OpusHeader.cpp

@@ -292,6 +292,10 @@
         *opusHeadSize = data_size;
         return true;
     } else if (memcmp(AOPUS_CSD_MARKER_PREFIX, data, AOPUS_CSD_MARKER_PREFIX_SIZE) == 0) {
+        if (data_size < AOPUS_UNIFIED_CSD_MINSIZE || data_size > AOPUS_UNIFIED_CSD_MAXSIZE) {
+            ALOGD("Unexpected size for unified opus csd %zu", data_size);
+            return false;
+        }
         size_t i = 0;
         bool found = false;
         while (i <= data_size - AOPUS_MARKER_SIZE - AOPUS_LENGTH_SIZE) {
commit	6b3b2f26fbbcf5ef5b41e00fc9c6bd4a164aa260	[log] [tgz]
author	Harish Mahendrakar <harish.mahendrakar@ittiam.com>	Mon Oct 21 14:43:26 2019 -0700
committer	Bryan Ferris <bferris@google.com>	Wed Feb 26 10:07:56 2020 -0800
tree	fc4cb33ac948b0257d7558ff95adde5d0db0e7fc
parent	58cc8f2c0254f03d66a28ae1cf0809c171d4ac7d [diff]