diff options
| author | Wei Jia <wjia@google.com> | 2015-08-20 04:01:18 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-08-20 04:01:18 +0000 |
| commit | 6ae815e04f618207da9ce52e3c828492c33a7107 (patch) | |
| tree | 42f8cf5d811238df117abba1a9848b32c6f2d8fb | |
| parent | b2ae4351539de9aa4667fcb3e02ba40d9c6bd094 (diff) | |
| parent | 937c6bedd4b6e5c6cb29a238eb459047dedd3486 (diff) | |
| download | frameworks_av-6ae815e04f618207da9ce52e3c828492c33a7107.zip frameworks_av-6ae815e04f618207da9ce52e3c828492c33a7107.tar.gz frameworks_av-6ae815e04f618207da9ce52e3c828492c33a7107.tar.bz2 | |
Merge "libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets." into klp-dev
| -rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 0899362..116c457 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -39,6 +39,10 @@ #include <media/stagefright/MetaData.h> #include <utils/String8.h> +#ifndef UINT32_MAX +#define UINT32_MAX (4294967295U) +#endif + namespace android { class MPEG4Source : public MediaSource { @@ -2714,13 +2718,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(off64_t offset, off return ERROR_IO; } offset += 4; + if (entrycount == 0) { + return OK; + } + if (entrycount > UINT32_MAX / 8) { + return ERROR_MALFORMED; + } if (entrycount > mCurrentSampleInfoOffsetsAllocSize) { - mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8); + uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8); + if (newPtr == NULL) { + return NO_MEMORY; + } + mCurrentSampleInfoOffsets = newPtr; mCurrentSampleInfoOffsetsAllocSize = entrycount; } mCurrentSampleInfoOffsetCount = entrycount; + if (mCurrentSampleInfoOffsets == NULL) { + return OK; + } + for (size_t i = 0; i < entrycount; i++) { if (version == 0) { uint32_t tmp; |