sf3-006_0001-Prevent-integer-issues-in-ID3-Iterator-findFrame.patch

From 8f95773c9bcae728e3f753d99e2abebd41ae7060 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <[email protected]>
Date: Sat, 15 Aug 2015 08:17:03 -0500
Subject: [PATCH] Prevent integer issues in ID3::Iterator::findFrame

Integer overflows could occur a few places within findFrame. These can lead to
out-of-bounds reads and potentially infinite loops. Ensure that arithmetic does
not wrap around to prevent these behaviors.

Change-Id: I72a61df7d5719d1d3f2bd0b37fba86f0f4bbedee
---
 media/libstagefright/id3/ID3.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d9491d6..0e9b362 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -635,6 +635,11 @@ void ID3::Iterator::findFrame() {
             }
             mFrameSize += 6; // add tag id and size field
 
+            // Prevent integer overflow in validation
+            if (SIZE_MAX - mOffset <= mFrameSize) {
+                return
+            }
+
             if (mOffset + mFrameSize > mParent.mSize) {
                 ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
                     mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6);
@@ -678,8 +683,18 @@ void ID3::Iterator::findFrame() {
                 return;
             }
 
+            // Prevent integer overflow when adding
+            if (SIZE_MAX - 10 <= baseSize) {
+                return;
+            }
+
             mFrameSize = 10 + baseSize; // add tag id, size field and flags
 
+            // Prevent integer overflow in validation
+            if (SIZE_MAX - mOffset <= mFrameSize) {
+                return;
+            }
+
             if (mOffset + mFrameSize > mParent.mSize) {
                 ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
                     mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10);
-- 
1.9.1