jduck · October 9, 2015 21:56
diff --git a/sf3-005_0001-Prevent-multiple-memory-corruption-issues.patch b/sf3-005_0001-Prevent-multiple-memory-corruption-issues.patch
 From bb08d535f724f35849627f4a9f9f03f9143af2f0 Mon Sep 17 00:00:00 2001
 From: "Joshua J. Drake" <[email protected]>
 Date: Sat, 15 Aug 2015 08:01:58 -0500
 Subject: [PATCH] Prevent multiple memory corruption issues

 Bounds checking within the ID3::removeUnsynchronizedV2_4 function was
 erroneous. Several cases resulted in integer underflow or overflow. Prevent
 these issues by ensuring key values are correct.

 Change-Id: I83e6fcca905e901929aee528bf000f22de70f197
 ---
 media/libstagefright/id3/ID3.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

 diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
 index d9491d6..515b683 100644
 --- a/media/libstagefright/id3/ID3.cpp
 +++ b/media/libstagefright/id3/ID3.cpp
 @@ -339,7 +339,8 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
             return false;
         }
 
 -        if (offset + dataSize + 10 > mSize) {
 +        // Reject dataSize greater than the amount of data remaining
 +        if (mSize - (offset + 10) <= dataSize) {
             return false;
         }
 
 @@ -349,8 +350,17 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
         if (flags & 1) {
             // Strip data length indicator
 
 +            // Ensure there are at least 14 bytes left
 +            if (mSize < offset
 +                || (mSize - offset) < 14)
 +                return false;
 +
             memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
             mSize -= 4;
 +
 +            // Prevent dataSize from wrapping
 +            if (dataSize < 4)
 +                return false;
             dataSize -= 4;
 
             flags &= ~1;
 -- 
 1.9.1
	From bb08d535f724f35849627f4a9f9f03f9143af2f0 Mon Sep 17 00:00:00 2001
	From: "Joshua J. Drake" <[email protected]>
	Date: Sat, 15 Aug 2015 08:01:58 -0500
	Subject: [PATCH] Prevent multiple memory corruption issues

	Bounds checking within the ID3::removeUnsynchronizedV2_4 function was
	erroneous. Several cases resulted in integer underflow or overflow. Prevent
	these issues by ensuring key values are correct.

	Change-Id: I83e6fcca905e901929aee528bf000f22de70f197
	---
	media/libstagefright/id3/ID3.cpp \| 12 +++++++++++-
	1 file changed, 11 insertions(+), 1 deletion(-)

	diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
	index d9491d6..515b683 100644
	--- a/media/libstagefright/id3/ID3.cpp
	+++ b/media/libstagefright/id3/ID3.cpp
	@@ -339,7 +339,8 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
	return false;
	}

	- if (offset + dataSize + 10 > mSize) {
	+ // Reject dataSize greater than the amount of data remaining
	+ if (mSize - (offset + 10) <= dataSize) {
	return false;
	}

	@@ -349,8 +350,17 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
	if (flags & 1) {
	// Strip data length indicator

	+ // Ensure there are at least 14 bytes left
	+ if (mSize < offset
	+ \|\| (mSize - offset) < 14)
	+ return false;
	+
	memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
	mSize -= 4;
	+
	+ // Prevent dataSize from wrapping
	+ if (dataSize < 4)
	+ return false;
	dataSize -= 4;

	flags &= ~1;
	--
	1.9.1