Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ad03116 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Jon Larimer
Browse files

Prevent integer overflow when processing covr MPEG4 atoms 

If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.

Bug: 20923261
Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f
parent f6dda8df

media/libstagefright/MPEG4Extractor.cpp

+5 −1
Original line number Diff line number Diff line
@@ -1935,7 +1935,11 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 


            if (mFileMetaData != NULL) {

                ALOGV("chunk_data_size = %lld and data_offset = %lld",

                        chunk_data_size, data_offset);

                        (long long)chunk_data_size, (long long)data_offset);



                if (chunk_data_size >= SIZE_MAX - 1) {

                    return ERROR_MALFORMED;

                }

                sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);

                if (mDataSource->readAt(

                    data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {