Commit e5f0966c authored May 04, 2015 by Joshua J. Drake Committed by Wei Jia Jun 03, 2015

Fix integer overflow when handling MPEG4 tx3g atom

When the sum of the 'size' and 'chunk_size' variables is larger than 2^32,
an integer overflow occurs. Using the result value to allocate memory
leads to an undersized buffer allocation and later a potentially
exploitable heap corruption condition. Ensure that integer overflow does
not occur.

Bug: 20923261
Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f

parent 0e27e080

media/libstagefright/MPEG4Extractor.cpp

+7 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1724,7 +1724,14 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
	size = 0;		size = 0;
	}		}

			if (SIZE_MAX - chunk_size <= size) {
			return ERROR_MALFORMED;
			}

	uint8_t *buffer = new uint8_t[size + chunk_size];		uint8_t *buffer = new uint8_t[size + chunk_size];
			if (buffer == NULL) {
			return ERROR_MALFORMED;
			}

	if (size > 0) {		if (size > 0) {
	memcpy(buffer, data, size);		memcpy(buffer, data, size);