From b5ae3d04eb49314cb6d5c7892ea4737b347e487d Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Wed, 8 Apr 2015 23:44:57 -0500
Subject: Fix integer overflow during MP4 atom processing

A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.

Bug: 20139950
Change-Id: I4fc78c80d01ec4b7475e573a8e7d37ace4b5e399

Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
---
 media/libstagefright/SampleTable.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 023ab72..2d143a1 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams(
         return ERROR_MALFORMED;
     }
 
+    if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets)
+        return ERROR_OUT_OF_RANGE;
+
     mSampleToChunkEntries =
         new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets];
     if (!mSampleToChunkEntries)
-- 
cgit v1.1