diff options
author | Wei Jia <wjia@google.com> | 2015-08-18 14:32:16 -0700 |
---|---|---|
committer | Wei Jia <wjia@google.com> | 2015-08-19 17:00:44 -0700 |
commit | c51ab7dd82bf4e24666fc72a55e03e2f530204d5 (patch) | |
tree | 2a82e42557c0359b595e17e9904b1ba3d0d7dfe9 /media/libstagefright/MPEG4Extractor.cpp | |
parent | 39ff8149466ee8e86c0336f706cd4dd3713f359f (diff) | |
download | frameworks_av-c51ab7dd82bf4e24666fc72a55e03e2f530204d5.zip frameworks_av-c51ab7dd82bf4e24666fc72a55e03e2f530204d5.tar.gz frameworks_av-c51ab7dd82bf4e24666fc72a55e03e2f530204d5.tar.bz2 |
libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets.
Bug: 23270724
Change-Id: Id7ba55c7bf6860fbfc892bbb6378aac644c82da4
Diffstat (limited to 'media/libstagefright/MPEG4Extractor.cpp')
-rwxr-xr-x | media/libstagefright/MPEG4Extractor.cpp | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index a2e8323..16d7c2d 100755 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -3584,13 +3584,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( return ERROR_IO; } offset += 4; + if (entrycount == 0) { + return OK; + } + if (entrycount > UINT32_MAX / 8) { + return ERROR_MALFORMED; + } if (entrycount > mCurrentSampleInfoOffsetsAllocSize) { - mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8); + uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8); + if (newPtr == NULL) { + return NO_MEMORY; + } + mCurrentSampleInfoOffsets = newPtr; mCurrentSampleInfoOffsetsAllocSize = entrycount; } mCurrentSampleInfoOffsetCount = entrycount; + if (mCurrentSampleInfoOffsets == NULL) { + return OK; + } + for (size_t i = 0; i < entrycount; i++) { if (version == 0) { uint32_t tmp; |