From f11e95b21007f24e5ab77298370855f9f085b2d7 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Wed, 1 Jul 2015 13:05:50 -0700
Subject: Check buffer size before using it

Bug: 21814993
Change-Id: Idaac61b4b9f4058b94e84093644593ba315d72ff
(cherry picked from commit c1a104aaad2d84a57bf5d87dd030d2bef56bf541)
---
 media/libstagefright/MPEG4Extractor.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'media/libstagefright/MPEG4Extractor.cpp')

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 56bd875..46010ca 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -3193,6 +3193,10 @@ status_t MPEG4Source::read(
             CHECK(mBuffer == NULL);
             return err;
         }
+        if (size > mBuffer->size()) {
+            ALOGE("buffer too small: %zu > %zu", size, mBuffer->size());
+            return ERROR_BUFFER_TOO_SMALL;
+        }
     }
 
     if (!mIsAVC || mWantsNALFragments) {
@@ -3439,6 +3443,10 @@ status_t MPEG4Source::fragmentedRead(
             ALOGV("acquire_buffer returned %d", err);
             return err;
         }
+        if (size > mBuffer->size()) {
+            ALOGE("buffer too small: %zu > %zu", size, mBuffer->size());
+            return ERROR_BUFFER_TOO_SMALL;
+        }
     }
 
     const Sample *smpl = &mCurrentSamples[mCurrentSampleIndex];
-- 
cgit v1.1