summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2015-08-07 11:19:24 -0700
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:02 +0200
commita4ab71c55d743ad4eefa83b9e2861d95520a4e08 (patch)
treea01a65b28b1fbc074c8bc2fdeba8e369d2275a7a
parent28f82bc8d580a1e7ab2814cd0f75b47d42b2066c (diff)
downloadframeworks_av-replicant-4.2.zip
frameworks_av-replicant-4.2.tar.gz
frameworks_av-replicant-4.2.tar.bz2
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAXreplicant-4.2-0004replicant-4.2
chunk_size is a uint64_t, so it can legitimately be bigger than SIZE_MAX, which would cause the subtraction to underflow. https://code.google.com/p/android/issues/detail?id=182251 Bug: 23034759 Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547 Signed-off-by: Nick Kralevich <nnk@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 28c41c4..167fd01 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1502,7 +1502,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
size = 0;
}
- if (SIZE_MAX - chunk_size <= size) {
+ if ((chunk_size > SIZE_MAX) || (SIZE_MAX - chunk_size <= size)) {
return ERROR_MALFORMED;
}