summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-05-04 18:29:08 -0500
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:02 +0200
commitec6cff83536f54f1270a335e373caad76bdb8aa7 (patch)
tree900a86dd1db275c481d2289fd341cfc597c885a8
parentc40f2dc30a7e33526460750e43325a947845b4fb (diff)
downloadframeworks_av-ec6cff83536f54f1270a335e373caad76bdb8aa7.zip
frameworks_av-ec6cff83536f54f1270a335e373caad76bdb8aa7.tar.gz
frameworks_av-ec6cff83536f54f1270a335e373caad76bdb8aa7.tar.bz2
Fix integer overflow when handling MPEG4 tx3g atom
When the sum of the 'size' and 'chunk_size' variables is larger than 2^32, an integer overflow occurs. Using the result value to allocate memory leads to an undersized buffer allocation and later a potentially exploitable heap corruption condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp7
1 files changed, 7 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 0c6f74c..ae592c4 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1502,7 +1502,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
size = 0;
}
+ if (SIZE_MAX - chunk_size <= size) {
+ return ERROR_MALFORMED;
+ }
+
uint8_t *buffer = new uint8_t[size + chunk_size];
+ if (buffer == NULL) {
+ return ERROR_MALFORMED;
+ }
if (size > 0) {
memcpy(buffer, data, size);