Fix Security Vulnerability in mediaserver Crash on new CryptoPlugin::SubSample[]. numSubSamples wasn't sanity checked, a malicious caller could pass a very large number of subsamples causing the new operator to fail which would crash the server process. Add a sanity check to numSubSamples, which is defined by the ISO-BMFF spec to be represented as unsigned 16 bits. bug: 23718580 Change-Id: I36e18e60f2515289d1873640a3408c01e40a1174

commit: 4183d539fd9528d79d2c740769d01233b19017a1 [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Fri May 20 17:19:31 2016 -0700
committer: Jeff Tinker <jtinker@google.com> Fri May 20 17:30:03 2016 -0700
tree: 16cb45c31a56e8325c092d469c21d15517a54b6d
parent: d5c8642dfba7e6465582701756f2c161aa14d9a3 [diff] [blame]
diff --git a/media/libmedia/ICrypto.cpp b/media/libmedia/ICrypto.cpp
index ee7f757..f352f73 100644
--- a/media/libmedia/ICrypto.cpp
+++ b/media/libmedia/ICrypto.cpp

@@ -302,6 +302,10 @@
             int32_t offset = data.readInt32();
 
             int32_t numSubSamples = data.readInt32();
+            if (numSubSamples < 0 || numSubSamples > 0xffff) {
+                reply->writeInt32(BAD_VALUE);
+                return OK;
+            }
 
             CryptoPlugin::SubSample *subSamples =
                 new CryptoPlugin::SubSample[numSubSamples];
commit	4183d539fd9528d79d2c740769d01233b19017a1	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Fri May 20 17:19:31 2016 -0700
committer	Jeff Tinker <jtinker@google.com>	Fri May 20 17:30:03 2016 -0700
tree	16cb45c31a56e8325c092d469c21d15517a54b6d
parent	d5c8642dfba7e6465582701756f2c161aa14d9a3 [diff] [blame]