Prevent integer issues in ID3::Iterator::findFrame
Integer overflows could occur a few places within findFrame. These can lead to
out-of-bounds reads and potentially infinite loops. Ensure that arithmetic does
not wrap around to prevent these behaviors.
Bug: 23285192
Change-Id: I72a61df7d5719d1d3f2bd0b37fba86f0f4bbedee
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index fb3ae49..683c6ef 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -638,6 +638,11 @@
mFrameSize += 6;
+ // Prevent integer overflow in validation
+ if (SIZE_MAX - mOffset <= mFrameSize) {
+ return;
+ }
+
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6);
@@ -667,7 +672,7 @@
return;
}
- size_t baseSize;
+ size_t baseSize = 0;
if (mParent.mVersion == ID3_V2_4) {
if (!ParseSyncsafeInteger(
&mParent.mData[mOffset + 4], &baseSize)) {
@@ -677,7 +682,21 @@
baseSize = U32_AT(&mParent.mData[mOffset + 4]);
}
- mFrameSize = 10 + baseSize;
+ if (baseSize == 0) {
+ return;
+ }
+
+ // Prevent integer overflow when adding
+ if (SIZE_MAX - 10 <= baseSize) {
+ return;
+ }
+
+ mFrameSize = 10 + baseSize; // add tag id, size field and flags
+
+ // Prevent integer overflow in validation
+ if (SIZE_MAX - mOffset <= mFrameSize) {
+ return;
+ }
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
