Prevent integer overflow when processing covr MPEG4 atoms

If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur and cause an undersized buffer to be allocated. The following processing then overfills the resulting memory and creates a potentially exploitable condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f

Prevent integer overflow when processing covr MPEG4 atoms
If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur and cause an undersized buffer to be allocated. The following processing then overfills the resulting memory and creates a potentially exploitable condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f
2674a721 · Joshua J. Drake · The Android Automerger · e846a5f3 · 2674a721
Commit 2674a721 authored 10 years ago by Joshua J. Drake Committed by The Android Automerger 10 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

media/libstagefright/MPEG4Extractor.cpp media/libstagefright/MPEG4Extractor.cpp +4 -0

No files found.
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1932,6 +1932,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
            if (mFileMetaData != NULL) {
                ALOGV("chunk_data_size = %lld and data_offset = %lld",
                        chunk_data_size, data_offset);
+
+                if (chunk_data_size >= SIZE_MAX - 1) {
+                    return ERROR_MALFORMED;
+                }
                sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
                if (mDataSource->readAt(
                    data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {