diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:44:57 -0500 |
---|---|---|
committer | Abhisek Devkota <ciwrl@cyanogenmod.com> | 2015-08-13 12:46:08 -0700 |
commit | 0c0643ec7f1420c8a4aa696df1ad5b77a6adcb93 (patch) | |
tree | 02fcc427cf69146ab2fa489009daca8bd8eaf67e | |
parent | 167c07f9c8a888ca8e7df11d776f24d696b53ce7 (diff) | |
download | frameworks_av-0c0643ec7f1420c8a4aa696df1ad5b77a6adcb93.tar.gz frameworks_av-0c0643ec7f1420c8a4aa696df1ad5b77a6adcb93.tar.bz2 frameworks_av-0c0643ec7f1420c8a4aa696df1ad5b77a6adcb93.zip |
Fix integer overflow during MP4 atom processing
A few sample table related FourCC values are handled by the
setSampleToChunkParams function. An integer overflow exists within this
function. Validate that mNumSampleToChunkOffets will not cause an integer
overflow.
CYNGNOS-446
Bug: 20139950
(cherry picked from commit c24607c29c96f939aed9e33bfa702b1dd79da4b7)
Change-Id: I49086952451b09a234d8b82669251ab9f1ef58d9
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index ff88497cb0..b86c613203 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } + if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets) + return ERROR_OUT_OF_RANGE; + mSampleToChunkEntries = new SampleToChunkEntry[mNumSampleToChunkOffsets]; |