C2HIDL: Prevent OOB read in ParseParamsBlob Prevent OOB read in ParseParamsBlob from libcodec2_hidl Bug: 238083570 Test: Manual Change-Id: I2fec8d2a72b5351eb05d6dfef4daca06c718cf2c (cherry picked from commit 332795fde4f4d4f1b5d90a4de4877475984f9f03) Merged-In: I2fec8d2a72b5351eb05d6dfef4daca06c718cf2c

commit: 1f59b3e32a06666f590042c761546dbfa80df932 [log] [tgz]
author: Sungtak Lee <taklee@google.com> Tue Sep 13 05:46:42 2022 +0000
committer: Sungtak Lee <taklee@google.com> Thu Sep 15 07:11:44 2022 +0000
tree: 16108da13354a14d4b62d738e3b022e8f176217c
parent: 7c3252767b45c3d7fca4c0c525be03bbdb0fe468 [diff]
diff --git a/media/codec2/hidl/1.0/utils/types.cpp b/media/codec2/hidl/1.0/utils/types.cpp
index 35a3b53..319ba62 100644
--- a/media/codec2/hidl/1.0/utils/types.cpp
+++ b/media/codec2/hidl/1.0/utils/types.cpp

@@ -1613,6 +1613,7 @@
     // assuming blob is const here
     size_t size = blob.size();
     size_t ix = 0;
+    size_t old_ix = 0;
     const uint8_t *data = blob.data();
     C2Param *p = nullptr;
 
@@ -1620,8 +1621,13 @@
         p = C2ParamUtils::ParseFirst(data + ix, size - ix);
         if (p) {
             params->emplace_back(p);
+            old_ix = ix;
             ix += p->size();
             ix = align(ix, PARAMS_ALIGNMENT);
+            if (ix <= old_ix || ix > size) {
+                android_errorWriteLog(0x534e4554, "238083570");
+                break;
+            }
         }
     } while (p);
commit	1f59b3e32a06666f590042c761546dbfa80df932	[log] [tgz]
author	Sungtak Lee <taklee@google.com>	Tue Sep 13 05:46:42 2022 +0000
committer	Sungtak Lee <taklee@google.com>	Thu Sep 15 07:11:44 2022 +0000
tree	16108da13354a14d4b62d738e3b022e8f176217c
parent	7c3252767b45c3d7fca4c0c525be03bbdb0fe468 [diff]