am 46eee08a: am c9a3ea62: am b70b09c9: Merge "OMXCodec: fix potential OOB read in parseHEVCCodecSpecificData" * commit '46eee08ad8469174e8572853c70db23802863726': OMXCodec: fix potential OOB read in parseHEVCCodecSpecificData

commit: 6d5a0de5177bccc17d0eb1b69a8ed88d620884a5 [log] [tgz]
author: Robert Shih <robertshih@google.com> Fri Aug 21 01:17:27 2015 +0000
committer: Android Git Automerger <android-git-automerger@android.com> Fri Aug 21 01:17:27 2015 +0000
tree: c5a0424013469abc0d5c612b47c933983a007013
parent: d9705f145718c6db7e20ed57ba9e6b41e110e4a3 [diff]
parent: 46eee08ad8469174e8572853c70db23802863726 [diff]
diff --git a/media/libstagefright/OMXCodec.cpp b/media/libstagefright/OMXCodec.cpp
index ef72bd4..25c5e27 100644
--- a/media/libstagefright/OMXCodec.cpp
+++ b/media/libstagefright/OMXCodec.cpp

@@ -393,7 +393,7 @@
     const uint8_t *ptr = (const uint8_t *)data;
 
     // verify minimum size and configurationVersion == 1.
-    if (size < 7 || ptr[0] != 1) {
+    if (size < 23 || ptr[0] != 1) {
         return ERROR_MALFORMED;
     }
 
@@ -408,6 +408,9 @@
     size -= 1;
     size_t j = 0, i = 0;
     for (i = 0; i < numofArrays; i++) {
+        if (size < 3) {
+            return ERROR_MALFORMED;
+        }
         ptr += 1;
         size -= 1;
commit	6d5a0de5177bccc17d0eb1b69a8ed88d620884a5	[log] [tgz]
author	Robert Shih <robertshih@google.com>	Fri Aug 21 01:17:27 2015 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	Fri Aug 21 01:17:27 2015 +0000
tree	c5a0424013469abc0d5c612b47c933983a007013
parent	d9705f145718c6db7e20ed57ba9e6b41e110e4a3 [diff]
parent	46eee08ad8469174e8572853c70db23802863726 [diff]