Merge "Fix integer overflow when handling MPEG4 tx3g atom" into klp-dev

author: Wei Jia <wjia@google.com> 2015-06-05 16:13:39 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2015-06-05 16:13:40 +0000
commit: 82e90e10481c334bb5f2cecf1621cb8f9308c21c (patch)
tree: 8e831809c6a28deef10d37ff73409b351b4343af
parent: 4a492bf2ac47b9844d2527e1fcdf0064c3d8d52e (diff)
parent: e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e (diff)
download: frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.zip
frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.tar.gz
frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 5640b50..2efbb57 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1724,7 +1724,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 size = 0;
             }
 
+            if (SIZE_MAX - chunk_size <= size) {
+                return ERROR_MALFORMED;
+            }
+
             uint8_t *buffer = new uint8_t[size + chunk_size];
+            if (buffer == NULL) {
+                return ERROR_MALFORMED;
+            }
 
             if (size > 0) {
                 memcpy(buffer, data, size);
author	Wei Jia <wjia@google.com>	2015-06-05 16:13:39 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2015-06-05 16:13:40 +0000
commit	82e90e10481c334bb5f2cecf1621cb8f9308c21c (patch)
tree	8e831809c6a28deef10d37ff73409b351b4343af
parent	4a492bf2ac47b9844d2527e1fcdf0064c3d8d52e (diff)
parent	e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e (diff)
download	frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.zip frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.tar.gz frameworks_av-82e90e10481c334bb5f2cecf1621cb8f9308c21c.tar.bz2