commit | c4717852eeb9eaa567990af14b7b4116e2d682f7 | [log] [tgz] |
---|---|---|
author | Nick Kralevich <nnk@google.com> | Fri Aug 07 11:19:24 2015 -0700 |
committer | Jon Larimer <jlarimer@google.com> | Thu Aug 13 11:23:02 2015 -0400 |
tree | caeba48b93282bf362c9bdee1315abff5a8c52af | |
parent | 913efd2bb99a056eb44395a93c6aa361a96dde6a [diff] |
MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX chunk_size is a uint64_t, so it can legitimately be bigger than SIZE_MAX, which would cause the subtraction to underflow. https://code.google.com/p/android/issues/detail?id=182251 Bug: 23034759 Change-Id: Ic1637fb26bf6edb0feb1bcf2876fd370db1ed547
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 5fab865..1f635f4 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1953,7 +1953,7 @@ size = 0; } - if (SIZE_MAX - chunk_size <= size) { + if ((chunk_size > SIZE_MAX) || (SIZE_MAX - chunk_size <= size)) { return ERROR_MALFORMED; }