diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-05-04 18:29:08 -0500 |
|---|---|---|
| committer | Wei Jia <wjia@google.com> | 2015-06-03 15:43:31 -0700 |
| commit | e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e (patch) | |
| tree | 2a4ea433c05520b8fe5628b778b32a79c88daafb | |
| parent | 0e27e080c255b23b4b0e19cb3bc9519cc162b73f (diff) | |
| download | frameworks_av-e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e.zip frameworks_av-e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e.tar.gz frameworks_av-e5f0966c76bd0a7e81e4205c8d8b55e6b34c833e.tar.bz2 | |
Fix integer overflow when handling MPEG4 tx3g atom
When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
an integer overflow occurs. Using the result value to allocate memory
leads to an undersized buffer allocation and later a potentially
exploitable heap corruption condition. Ensure that integer overflow does
not occur.
Bug: 20923261
Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f
| -rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index d52b605..3d15090 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -1724,7 +1724,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { size = 0; } + if (SIZE_MAX - chunk_size <= size) { + return ERROR_MALFORMED; + } + uint8_t *buffer = new uint8_t[size + chunk_size]; + if (buffer == NULL) { + return ERROR_MALFORMED; + } if (size > 0) { memcpy(buffer, data, size); |