Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c24607c2 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Nick Kralevich
Browse files

Fix integer overflow during MP4 atom processing 

A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.

Bug: 20139950
Change-Id: I1972cc185fce5e058afa143ad5eabcc269ad324d
parent ad435371

media/libstagefright/SampleTable.cpp

+3 −0
Original line number Diff line number Diff line
@@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams( 
        return ERROR_MALFORMED;

    }



    if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets)

        return ERROR_OUT_OF_RANGE;



    mSampleToChunkEntries =

        new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets];

    if (!mSampleToChunkEntries)