From ec6cff83536f54f1270a335e373caad76bdb8aa7 Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Mon, 4 May 2015 18:29:08 -0500 Subject: Fix integer overflow when handling MPEG4 tx3g atom When the sum of the 'size' and 'chunk_size' variables is larger than 2^32, an integer overflow occurs. Using the result value to allocate memory leads to an undersized buffer allocation and later a potentially exploitable heap corruption condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f Signed-off-by: Joshua J. Drake Tested-by: Moritz Bandemer --- media/libstagefright/MPEG4Extractor.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 0c6f74c..ae592c4 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1502,7 +1502,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { size = 0; } + if (SIZE_MAX - chunk_size <= size) { + return ERROR_MALFORMED; + } + uint8_t *buffer = new uint8_t[size + chunk_size]; + if (buffer == NULL) { + return ERROR_MALFORMED; + } if (size > 0) { memcpy(buffer, data, size); -- cgit v1.1