Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e1be03f4 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Abhisek Devkota
Browse files

Prevent integer overflow when processing covr MPEG4 atoms 

If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.

Bug: 20923261
(cherry picked from commit b5738ab0)

Conflicts:
	media/libstagefright/MPEG4Extractor.cpp

Change-Id: Id7fbe1f8543cd016cf5b272b7ea4cd1fb01f2b8f
parent 69efdb17

media/libstagefright/MPEG4Extractor.cpp

+4 −0
Original line number Diff line number Diff line
@@ -1487,6 +1487,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { 
            if (mFileMetaData != NULL) {

                ALOGV("chunk_data_size = %lld and data_offset = %lld",

                        chunk_data_size, data_offset);



                if (chunk_data_size >= SIZE_MAX - 1) {

                    return ERROR_MALFORMED;

                }

                uint8_t *buffer = new uint8_t[chunk_data_size + 1];

                if (mDataSource->readAt(

                    data_offset, buffer, chunk_data_size) != (ssize_t)chunk_data_size) {