diff options
author | Wei Jia <wjia@google.com> | 2015-06-05 16:13:39 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-06-05 16:13:40 +0000 |
commit | 82e90e10481c334bb5f2cecf1621cb8f9308c21c (patch) | |
tree | 8e831809c6a28deef10d37ff73409b351b4343af | |
parent | 4a492bf2ac47b9844d2527e1fcdf0064c3d8d52e (diff) | |
parent | e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e (diff) | |
download | frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.zip frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.tar.gz frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.tar.bz2 |
Merge "Fix integer overflow when handling MPEG4 tx3g atom" into klp-dev
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 5640b50..2efbb57 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1724,7 +1724,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { size = 0; } + if (SIZE_MAX - chunk_size <= size) { + return ERROR_MALFORMED; + } + uint8_t *buffer = new uint8_t[size + chunk_size]; + if (buffer == NULL) { + return ERROR_MALFORMED; + } if (size > 0) { memcpy(buffer, data, size); |