diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:44:57 -0500 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-04-09 17:34:16 -0700 |
commit | c24607c29c96f939aed9e33bfa702b1dd79da4b7 (patch) | |
tree | 308a07dbcde69ced72f36758ac24b6506e7ad8ed /media/libstagefright/SampleTable.cpp | |
parent | ad435371a4b95e16ceb49ab28efc04da8b3680e1 (diff) | |
download | frameworks_av-c24607c29c96f939aed9e33bfa702b1dd79da4b7.zip frameworks_av-c24607c29c96f939aed9e33bfa702b1dd79da4b7.tar.gz frameworks_av-c24607c29c96f939aed9e33bfa702b1dd79da4b7.tar.bz2 |
Fix integer overflow during MP4 atom processing
A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.
Bug: 20139950
Change-Id: I1972cc185fce5e058afa143ad5eabcc269ad324d
Diffstat (limited to 'media/libstagefright/SampleTable.cpp')
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index bfae474..aba64d5 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } + if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets) + return ERROR_OUT_OF_RANGE; + mSampleToChunkEntries = new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets]; if (!mSampleToChunkEntries) |