Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
From e746bacbf150fad31628357a4be27167d1060bcc Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Thu, 13 Aug 2015 18:20:45 -0500
Subject: [PATCH] Prevent integer truncation in 'tx3g' processing
Whenever the length of an atom in an MPEG4 file is set to 1, a 64-bit length is
read from the atom's data and stored in the variable 'chunk_size'. A value
larger than SIZE_MAX could satisfy the check added in the previous patch and,
because the new[] operator only accepts 32-bit lengths on 32-bit platforms,
integer truncation can occurr in the resulting allocation. Reject chunk_size
values larger than SIZE_MAX (in addition to the original check) to prevent
under-sized allocation.
Change-Id: If9f92c088debc90fc0fc593c43e3d9471ea5ebf5
---
media/libstagefright/MPEG4Extractor.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 5fab865..3024153 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1953,7 +1953,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
size = 0;
}
- if (SIZE_MAX - chunk_size <= size) {
+ if (chunk_size > SIZE_MAX || SIZE_MAX - chunk_size <= size) {
return ERROR_MALFORMED;
}
--
1.9.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.