C2HIDL: Prevent OOB read in ParseParamsBlob
Prevent OOB read in ParseParamsBlob from libcodec2_hidl
Bug: 238083570
Test: Manual
Change-Id: I2fec8d2a72b5351eb05d6dfef4daca06c718cf2c
(cherry picked from commit 332795fde4f4d4f1b5d90a4de4877475984f9f03)
Merged-In: I2fec8d2a72b5351eb05d6dfef4daca06c718cf2c
diff --git a/media/codec2/hidl/1.0/utils/types.cpp b/media/codec2/hidl/1.0/utils/types.cpp
index 35a3b53..319ba62 100644
--- a/media/codec2/hidl/1.0/utils/types.cpp
+++ b/media/codec2/hidl/1.0/utils/types.cpp
@@ -1613,6 +1613,7 @@
// assuming blob is const here
size_t size = blob.size();
size_t ix = 0;
+ size_t old_ix = 0;
const uint8_t *data = blob.data();
C2Param *p = nullptr;
@@ -1620,8 +1621,13 @@
p = C2ParamUtils::ParseFirst(data + ix, size - ix);
if (p) {
params->emplace_back(p);
+ old_ix = ix;
ix += p->size();
ix = align(ix, PARAMS_ALIGNMENT);
+ if (ix <= old_ix || ix > size) {
+ android_errorWriteLog(0x534e4554, "238083570");
+ break;
+ }
}
} while (p);