Prevent integer overflow when processing covr MPEG4 atoms
If the 'chunk_data_size' value is SIZE_MAX, an integer overflow will occur
and cause an undersized buffer to be allocated. The following processing
then overfills the resulting memory and creates a potentially exploitable
condition. Ensure that integer overflow does not occur.
Bug: 20923261
Change-Id: I75cce323aec04a612e5a230ecd7c2077ce06035f
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 9bb0179..fd1722b 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2020,6 +2020,10 @@
if (mFileMetaData != NULL) {
ALOGV("chunk_data_size = %lld and data_offset = %lld",
(long long)chunk_data_size, (long long)data_offset);
+
+ if (chunk_data_size >= SIZE_MAX - 1) {
+ return ERROR_MALFORMED;
+ }
sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
if (mDataSource->readAt(
data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {