[datatype-dev] RESEND: [Nokia-private-dev] CR : SALM-835FZC: Codenomicon 3GP5: Kern Exec 3 panic in CQTAtom::GetUI16()
ext-anugrah.2.kashari at nokia.com ext-anugrah.2.kashari at nokia.comAny comments on this? Thanks, Anugrah K From: nokia-private-dev-bounces at helixcommunity.org [mailto:nokia-private-dev-bounces at helixcommunity.org] On Behalf Of Kashari Anugrah.2 (EXT-Sasken/Bangalore) Sent: Friday, March 05, 2010 6:54 PM To: datatype-dev at helixcommunity.org; nokia-private-dev at helixcommunity.org Subject: [Nokia-private-dev] CR : SALM-835FZC: Codenomicon 3GP5: Kern Exec 3 panic in CQTAtom::GetUI16() "Nokia submits this code under the terms of a commercial contribution agreement with RealNetworks, and I am authorized to contribute this code under said agreement" Modified By: ext-anugrah.2.kashari at nokia.com Review By: Rathinasamy Rajesh (Nokia-D/Dallas) TSW-ID: SALM-835FZC Date : 05/03/2010 Project: SymbianMmf_wm Synopsis: Codenomicon 3GP5: Kern Exec 3 panic in CQTAtom::GetUI16() Overview: stsd atom for handle type video(vide) is corrupted. In this particular case, stsd atom has size of 182 (0xb6) bytes and number of entry_count for sample description is 256 . During initialization, in CQT_SampleDescription_Manager::Init() this description is read in loop. Each nextEntryOffset is equal to currentEntryOffset + SizeOf(currentEntryOffset) { computed in CQTAtom ::FindArrayEntry() in qtbatom.h}. Size of first entry is huge (0xa7bd bytes , actually cannot be greater than 166 bytes ) so next entry point returned is invalid, hence the panic. Fix: In CQTAtom ::FindArrayEntry(), offset should be checked after pStartEntry has been updated to ensure that it is still a valid pointer. Files modified & changes 210Cays , Brizo420 and Head : /cvsroot/datatype/mp4/fileformat/pub/qtbatom.h Image Size and Heap Use impact: No major impact Module Release testing (STIF) : Passed Test case(s) Added : No Memory leak check performed : Passed, No additional leaks introduced. Platforms and Profiles Build Verified: helix-client-s60-52-mmf-mdf-dsp Platforms and Profiles Functionality verified: armv5 Branch : 210Cays, Brizo420 & Head : CVS diff: For 210 cays Index: qtbatom.h =================================================================== RCS file: /cvsroot/datatype/mp4/fileformat/pub/qtbatom.h,v retrieving revision 1.5.8.2 diff -u -w -r1.5.8.2 qtbatom.h --- qtbatom.h 4 Nov 2009 14:41:21 -0000 1.5.8.2 +++ qtbatom.h 4 Mar 2010 11:46:51 -0000 @@ -214,13 +214,13 @@ { while (ulArrayIdx != 0) { + pStartEntry += GetUL32(pStartEntry); + ulArrayIdx--; if (((UINT32)(pStartEntry - m_pData)) >= m_pBuffer->GetSize()) { pStartEntry = NULL; break; } - pStartEntry += GetUL32(pStartEntry); - ulArrayIdx--; } return pStartEntry; -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.helixcommunity.org/pipermail/datatype-dev/attachments/20100308/454e3ae0/attachment.html