am 562be234: am f076fabf: am 0af43510: am 2562495d: am a590baca: Merge commit \'6ae815e0\' into HEAD

* commit '562be234743f7d82f8ee45cf0258e9db8239a817':
  libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets.

1 files changed, 19 insertions, 1 deletions

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index d809b4c..e2b1675 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -44,6 +44,10 @@
 #include <byteswap.h>
 #include "include/ID3.h"
 
+#ifndef UINT32_MAX
+#define UINT32_MAX       (4294967295U)
+#endif
+
 namespace android {
 
 class MPEG4Source : public MediaSource {
@@ -3335,13 +3339,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(
         return ERROR_IO;
     }
     offset += 4;
+    if (entrycount == 0) {
+        return OK;
+    }
+    if (entrycount > UINT32_MAX / 8) {
+        return ERROR_MALFORMED;
+    }
 
     if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {
-        mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+        uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+        if (newPtr == NULL) {
+            return NO_MEMORY;
+        }
+        mCurrentSampleInfoOffsets = newPtr;
         mCurrentSampleInfoOffsetsAllocSize = entrycount;
     }
     mCurrentSampleInfoOffsetCount = entrycount;
 
+    if (mCurrentSampleInfoOffsets == NULL) {
+        return OK;
+    }
+
     for (size_t i = 0; i < entrycount; i++) {
         if (version == 0) {
             uint32_t tmp;