am 82e90e10: Merge "Fix integer overflow when handling MPEG4 tx3g atom" into klp-dev

* commit '82e90e10481c334bb5f2cecf1621cb8f9308c21c': Fix integer overflow when handling MPEG4 tx3g atom
author: Wei Jia <wjia@google.com> 2015-06-05 16:32:41 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-06-05 16:32:41 +0000
commit: 1f44d837a9273dc86bf0c928c2ead313d71d1464 (patch)
tree: 6af2fa021d1dd1189e36849ea1a09e95b8770c96
parent: f0e1fb59f3ea24ce4f7f10d156bf8470a7236445 (diff)
parent: 82e90e10481c334bb5f2cecf1621cb8f9308c21c (diff)
download: frameworks_av-1f44d837a9273dc86bf0c928c2ead313d71d1464.zip
frameworks_av-1f44d837a9273dc86bf0c928c2ead313d71d1464.tar.gz
frameworks_av-1f44d837a9273dc86bf0c928c2ead313d71d1464.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 5375caa..4f08f70 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1728,7 +1728,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 size = 0;
             }
 
+            if (SIZE_MAX - chunk_size <= size) {
+                return ERROR_MALFORMED;
+            }
+
             uint8_t *buffer = new uint8_t[size + chunk_size];
+            if (buffer == NULL) {
+                return ERROR_MALFORMED;
+            }
 
             if (size > 0) {
                 memcpy(buffer, data, size);
author	Wei Jia <wjia@google.com>	2015-06-05 16:32:41 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-06-05 16:32:41 +0000
commit	1f44d837a9273dc86bf0c928c2ead313d71d1464 (patch)
tree	6af2fa021d1dd1189e36849ea1a09e95b8770c96
parent	f0e1fb59f3ea24ce4f7f10d156bf8470a7236445 (diff)
parent	82e90e10481c334bb5f2cecf1621cb8f9308c21c (diff)
download	frameworks_av-1f44d837a9273dc86bf0c928c2ead313d71d1464.zip frameworks_av-1f44d837a9273dc86bf0c928c2ead313d71d1464.tar.gz frameworks_av-1f44d837a9273dc86bf0c928c2ead313d71d1464.tar.bz2