diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:44:57 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-04-09 18:46:31 -0700 |
commit | 5c134e6b2047b10877f02a46f4bb293537269f00 (patch) | |
tree | b7e4567dd99275527886ada954a143effc0e5ab3 | |
parent | ae6965ae7664aaea489a8d58358035610075c9af (diff) | |
download | frameworks_av-5c134e6b2047b10877f02a46f4bb293537269f00.zip frameworks_av-5c134e6b2047b10877f02a46f4bb293537269f00.tar.gz frameworks_av-5c134e6b2047b10877f02a46f4bb293537269f00.tar.bz2 |
Fix integer overflow during MP4 atom processing
A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.
Bug: 20139950
(cherry picked from commit c24607c29c96f939aed9e33bfa702b1dd79da4b7)
Change-Id: I49086952451b09a234d8b82669251ab9f1ef58d9
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 8dfa365..4d8d703 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } + if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets) + return ERROR_OUT_OF_RANGE; + mSampleToChunkEntries = new SampleToChunkEntry[mNumSampleToChunkOffsets]; |