libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets.

Bug: 23270724
Change-Id: Id7ba55c7bf6860fbfc892bbb6378aac644c82da4

1 files changed, 15 insertions, 1 deletions

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index a2e8323..16d7c2d 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -3584,13 +3584,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(
         return ERROR_IO;
     }
     offset += 4;
+    if (entrycount == 0) {
+        return OK;
+    }
+    if (entrycount > UINT32_MAX / 8) {
+        return ERROR_MALFORMED;
+    }
 
     if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {
-        mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+        uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+        if (newPtr == NULL) {
+            return NO_MEMORY;
+        }
+        mCurrentSampleInfoOffsets = newPtr;
         mCurrentSampleInfoOffsetsAllocSize = entrycount;
     }
     mCurrentSampleInfoOffsetCount = entrycount;
 
+    if (mCurrentSampleInfoOffsets == NULL) {
+        return OK;
+    }
+
     for (size_t i = 0; i < entrycount; i++) {
         if (version == 0) {
             uint32_t tmp;