From a1e21653e86d21a4ab0946ee2761b6f0163d5742 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 7 Aug 2015 10:02:37 -0700
Subject: MPEG4Extractor.cpp: Add check for size == SIZE_MAX

If size == SIZE_MAX, the line:

  uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];

ends up allocating zero bytes, which is obviously incorrect.

This is conceptually a cherrypick of commit
b2d33aee5122c91a59c2a676c0b89ad340232450 , but specifically for
Android 4.1 through Android 4.4. In Android 5.0, new code
was introduced which caused the function parseMetaData()
to be renamed.

Bug: 23031033
Change-Id: Ib34e740f3292a484f8a24e513c1cce58f2f33ecb
---
 media/libstagefright/MPEG4Extractor.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'media/libstagefright/MPEG4Extractor.cpp')

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 9c5859f..b5d54f2 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1566,7 +1566,7 @@ status_t MPEG4Extractor::parseTrackHeader(
 }
 
 status_t MPEG4Extractor::parseMetaData(off64_t offset, size_t size) {
-    if (size < 4) {
+    if (size < 4 || size == SIZE_MAX) {
         return ERROR_MALFORMED;
     }
 
-- 
cgit v1.1