MPEG4Extractor.cpp: handle chunk_size > SIZE_MAXreplicant-4.2-0004 replicant-4.2

chunk_size is a uint64_t, so it can legitimately be bigger than SIZE_MAX, which would cause the subtraction to underflow. https://code.google.com/p/android/issues/detail?id=182251 Bug: 23034759 Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547 Signed-off-by: Nick Kralevich <nnk@google.com> Tested-by: Moritz Bandemer <replicant@posteo.mx>
author: Nick Kralevich <nnk@google.com> 2015-08-07 11:19:24 -0700
committer: Paul Kocialkowski <contact@paulk.fr> 2015-08-31 00:22:02 +0200
commit: a4ab71c55d743ad4eefa83b9e2861d95520a4e08 (patch)
tree: a01a65b28b1fbc074c8bc2fdeba8e369d2275a7a
parent: 28f82bc8d580a1e7ab2814cd0f75b47d42b2066c (diff)
download: frameworks_av-replicant-4.2.zip
frameworks_av-replicant-4.2.tar.gz
frameworks_av-replicant-4.2.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 28c41c4..167fd01 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1502,7 +1502,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 size = 0;
             }
 
-            if (SIZE_MAX - chunk_size <= size) {
+            if ((chunk_size > SIZE_MAX) || (SIZE_MAX - chunk_size <= size)) {
                 return ERROR_MALFORMED;
             }
author	Nick Kralevich <nnk@google.com>	2015-08-07 11:19:24 -0700
committer	Paul Kocialkowski <contact@paulk.fr>	2015-08-31 00:22:02 +0200
commit	a4ab71c55d743ad4eefa83b9e2861d95520a4e08 (patch)
tree	a01a65b28b1fbc074c8bc2fdeba8e369d2275a7a
parent	28f82bc8d580a1e7ab2814cd0f75b47d42b2066c (diff)
download	frameworks_av-replicant-4.2.zip frameworks_av-replicant-4.2.tar.gz frameworks_av-replicant-4.2.tar.bz2