Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d7340395 authored by Wei Jia's avatar Wei Jia Committed by Brint E. Kriebel
Browse files

libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets. 

Bug: 23270724
Change-Id: Id7ba55c7bf6860fbfc892bbb6378aac644c82da4
(cherry picked from commit c51ab7dd)
Ticket: CYNGNOS-985
parent 87d059a0

media/libstagefright/MPEG4Extractor.cpp

+19 −1
Original line number Diff line number Diff line
@@ -85,6 +85,10 @@ 
#include "include/ID3.h"

#include "include/ExtendedUtils.h"



#ifndef UINT32_MAX

#define UINT32_MAX       (4294967295U)

#endif



#if defined(DOLBY_UDC) && defined(DEBUG_LOG_DDP_DECODER_EXTRA)

#define DLOGD ALOGD

#else
@@ -3637,13 +3641,27 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( 
        return ERROR_IO;

    }

    offset += 4;

    if (entrycount == 0) {

        return OK;

    }

    if (entrycount > UINT32_MAX / 8) {

        return ERROR_MALFORMED;

    }



    if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {

        mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);

        uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8);

        if (newPtr == NULL) {

            return NO_MEMORY;

        }

        mCurrentSampleInfoOffsets = newPtr;

        mCurrentSampleInfoOffsetsAllocSize = entrycount;

    }

    mCurrentSampleInfoOffsetCount = entrycount;



    if (mCurrentSampleInfoOffsets == NULL) {

        return OK;

    }



    for (size_t i = 0; i < entrycount; i++) {

        if (version == 0) {

            uint32_t tmp;