Fix integer overflow during MP4 atom processing

A few sample table related FourCC values are handled by the setSampleToChunkParams function. An integer overflow exists within this function. Validate that mNumSampleToChunkOffets will not cause an integer overflow. Bug: 20139950 (cherry picked from commit c24607c) Change-Id: I49086952451b09a234d8b82669251ab9f1ef58d9
CyanogenMod · Jul 7, 2015 · ebf0d09 · ebf0d09
1 parent 75e78db
commit ebf0d09
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
@@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams(
         return ERROR_MALFORMED;
     }
 
+    if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets)
+        return ERROR_OUT_OF_RANGE;
+
     mSampleToChunkEntries =
         new SampleToChunkEntry[mNumSampleToChunkOffsets];