Fix Out of Bounds read in TextDescriptions.cpp Fixing vulnerability in extract3GGPGlobalDescriptions() in TextDescriptions.cpp Bug: 233735886 Test: Run related PoC. See bug. Change-Id: I87955b911d0a40390755321d332a11ecc9b20354

commit: b63d4e785ba4d896bbbd50d4f09bda13294926af [log] [tgz]
author: Iván Budnik <ivanbuper@google.com> Mon Jun 20 10:36:28 2022 +0000
committer: Iván Budnik <ivanbuper@google.com> Tue Jun 21 09:52:43 2022 +0000
tree: 1e286ee66fb03b4a3210cba974dbbdc0a188d1b2
parent: 726b9eb55cdb9b817ca2b63d72862fba2dcd0dfb [diff]
diff --git a/media/libstagefright/timedtext/TextDescriptions.cpp b/media/libstagefright/timedtext/TextDescriptions.cpp
index 2c2d11d..3fec9ed 100644
--- a/media/libstagefright/timedtext/TextDescriptions.cpp
+++ b/media/libstagefright/timedtext/TextDescriptions.cpp

@@ -466,6 +466,10 @@
 
                 if (subChunkType == FOURCC('f', 't', 'a', 'b'))
                 {
+                    if(subChunkSize < 8) {
+                        return OK;
+                    }
+
                     tmpData += 8;
                     size_t subChunkRemaining = subChunkSize - 8;
commit	b63d4e785ba4d896bbbd50d4f09bda13294926af	[log] [tgz]
author	Iván Budnik <ivanbuper@google.com>	Mon Jun 20 10:36:28 2022 +0000
committer	Iván Budnik <ivanbuper@google.com>	Tue Jun 21 09:52:43 2022 +0000
tree	1e286ee66fb03b4a3210cba974dbbdc0a188d1b2
parent	726b9eb55cdb9b817ca2b63d72862fba2dcd0dfb [diff]