Created
August 14, 2015 00:53
-
-
Save jduck/494a3520e0f463a4415e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From e746bacbf150fad31628357a4be27167d1060bcc Mon Sep 17 00:00:00 2001 | |
| From: "Joshua J. Drake" <android-open-source@qoop.org> | |
| Date: Thu, 13 Aug 2015 18:20:45 -0500 | |
| Subject: [PATCH] Prevent integer truncation in 'tx3g' processing | |
| Whenever the length of an atom in an MPEG4 file is set to 1, a 64-bit length is | |
| read from the atom's data and stored in the variable 'chunk_size'. A value | |
| larger than SIZE_MAX could satisfy the check added in the previous patch and, | |
| because the new[] operator only accepts 32-bit lengths on 32-bit platforms, | |
| integer truncation can occurr in the resulting allocation. Reject chunk_size | |
| values larger than SIZE_MAX (in addition to the original check) to prevent | |
| under-sized allocation. | |
| Change-Id: If9f92c088debc90fc0fc593c43e3d9471ea5ebf5 | |
| --- | |
| media/libstagefright/MPEG4Extractor.cpp | 2 +- | |
| 1 file changed, 1 insertion(+), 1 deletion(-) | |
| diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp | |
| index 5fab865..3024153 100644 | |
| --- a/media/libstagefright/MPEG4Extractor.cpp | |
| +++ b/media/libstagefright/MPEG4Extractor.cpp | |
| @@ -1953,7 +1953,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { | |
| size = 0; | |
| } | |
| - if (SIZE_MAX - chunk_size <= size) { | |
| + if (chunk_size > SIZE_MAX || SIZE_MAX - chunk_size <= size) { | |
| return ERROR_MALFORMED; | |
| } | |
| -- | |
| 1.9.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment