commit | b63d4e785ba4d896bbbd50d4f09bda13294926af | [log] [tgz] |
---|---|---|
author | Iván Budnik <ivanbuper@google.com> | Mon Jun 20 10:36:28 2022 +0000 |
committer | Iván Budnik <ivanbuper@google.com> | Tue Jun 21 09:52:43 2022 +0000 |
tree | 1e286ee66fb03b4a3210cba974dbbdc0a188d1b2 | |
parent | 726b9eb55cdb9b817ca2b63d72862fba2dcd0dfb [diff] |
Fix Out of Bounds read in TextDescriptions.cpp Fixing vulnerability in extract3GGPGlobalDescriptions() in TextDescriptions.cpp Bug: 233735886 Test: Run related PoC. See bug. Change-Id: I87955b911d0a40390755321d332a11ecc9b20354
diff --git a/media/libstagefright/timedtext/TextDescriptions.cpp b/media/libstagefright/timedtext/TextDescriptions.cpp index 2c2d11d..3fec9ed 100644 --- a/media/libstagefright/timedtext/TextDescriptions.cpp +++ b/media/libstagefright/timedtext/TextDescriptions.cpp
@@ -466,6 +466,10 @@ if (subChunkType == FOURCC('f', 't', 'a', 'b')) { + if(subChunkSize < 8) { + return OK; + } + tmpData += 8; size_t subChunkRemaining = subChunkSize - 8;