Fix integer overflow when handling MPEG4 tx3g atom

When the sum of the 'size' and 'chunk_size' variables is larger than 2^32, an integer overflow occurs. Using the result value to allocate memory leads to an undersized buffer allocation and later a potentially exploitable heap corruption condition. Ensure that integer overflow does not occur. Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f
CyanogenMod · Jul 14, 2015 · 5fd0cb5 · 5fd0cb5
1 parent 0c3e1ca
commit 5fd0cb5
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
@@ -1961,6 +1961,9 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 size = 0;
             }
 
+            if (SIZE_MAX - chunk_size <= size)
+                return ERROR_MALFORMED;
+
             uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size];
             if (buffer == NULL) {
                 return ERROR_MALFORMED;