Validate lengths in HEVC metadata parsing
Add code to validate the size parameter passed to
HecvParameterSets::addNalUnit(). Previously vulnerable
to decrementing an unsigned past 0, yielding a huge result value.
Bug: 35467107
Test: ran POC, no crash, emitted new "bad length" log entry
Change-Id: Ia169b9edc1e0f7c5302e3c68aa90a54e8863d79e
(cherry picked from commit e0dcf097cc029d056926029a29419e1650cbdf1b)
diff --git a/media/libstagefright/HevcUtils.cpp b/media/libstagefright/HevcUtils.cpp
index 718710a..7d463a9 100644
--- a/media/libstagefright/HevcUtils.cpp
+++ b/media/libstagefright/HevcUtils.cpp
@@ -45,16 +45,32 @@
}
status_t HevcParameterSets::addNalUnit(const uint8_t* data, size_t size) {
+ if (size < 1) {
+ ALOGE("empty NAL b/35467107");
+ return ERROR_MALFORMED;
+ }
uint8_t nalUnitType = (data[0] >> 1) & 0x3f;
status_t err = OK;
switch (nalUnitType) {
case 32: // VPS
+ if (size < 2) {
+ ALOGE("invalid NAL/VPS size b/35467107");
+ return ERROR_MALFORMED;
+ }
err = parseVps(data + 2, size - 2);
break;
case 33: // SPS
+ if (size < 2) {
+ ALOGE("invalid NAL/SPS size b/35467107");
+ return ERROR_MALFORMED;
+ }
err = parseSps(data + 2, size - 2);
break;
case 34: // PPS
+ if (size < 2) {
+ ALOGE("invalid NAL/PPS size b/35467107");
+ return ERROR_MALFORMED;
+ }
err = parsePps(data + 2, size - 2);
break;
case 39: // Prefix SEI