diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:44:57 -0500 |
|---|---|---|
| committer | Paul Kocialkowski <contact@paulk.fr> | 2015-08-31 00:22:02 +0200 |
| commit | b5ae3d04eb49314cb6d5c7892ea4737b347e487d (patch) | |
| tree | 3ac92af9586ad0f1cdc5079ce67ceaeb383ec60b | |
| parent | 16ffb57cee83d15382286570fe96c375a5dbb30e (diff) | |
| download | frameworks_av-b5ae3d04eb49314cb6d5c7892ea4737b347e487d.zip frameworks_av-b5ae3d04eb49314cb6d5c7892ea4737b347e487d.tar.gz frameworks_av-b5ae3d04eb49314cb6d5c7892ea4737b347e487d.tar.bz2 | |
Fix integer overflow during MP4 atom processing
A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.
Bug: 20139950
Change-Id: I4fc78c80d01ec4b7475e573a8e7d37ace4b5e399
Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
| -rw-r--r-- | media/libstagefright/SampleTable.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 023ab72..2d143a1 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } + if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets) + return ERROR_OUT_OF_RANGE; + mSampleToChunkEntries = new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets]; if (!mSampleToChunkEntries) |