Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 937c6bed authored by Wei Jia's avatar Wei Jia
Browse files

libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets. 

Bug: 23270724
Change-Id: Id7ba55c7bf6860fbfc892bbb6378aac644c82da4
(cherry picked from commit c51ab7dd)
parent 916a9684

media/libstagefright/MPEG4Extractor.cpp

+19 −1
Original line number Diff line number Diff line
@@ -39,6 +39,10 @@ 
#include <media/stagefright/MetaData.h>

#include <utils/String8.h>



#ifndef UINT32_MAX

#define UINT32_MAX       (4294967295U)

#endif



namespace android {



class MPEG4Source : public MediaSource {
@@ -2714,13 +2718,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets(off64_t offset, off 
        return ERROR_IO;

    }

    offset += 4;

    if (entrycount == 0) {

        return OK;

    }

    if (entrycount > UINT32_MAX / 8) {

        return ERROR_MALFORMED;

    }



    if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {

        mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);

        uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8);

        if (newPtr == NULL) {

            return NO_MEMORY;

        }

        mCurrentSampleInfoOffsets = newPtr;

        mCurrentSampleInfoOffsetsAllocSize = entrycount;

    }

    mCurrentSampleInfoOffsetCount = entrycount;



    if (mCurrentSampleInfoOffsets == NULL) {

        return OK;

    }



    for (size_t i = 0; i < entrycount; i++) {

        if (version == 0) {

            uint32_t tmp;