Merge "Prevent integer overflow when processing covr MPEG4 atoms" into klp-dev

commit: 6ff53b96235bf99cdc1023b99d44f1c4cade1c0a [log] [tgz]
author: Wei Jia <wjia@google.com> Fri Jun 05 16:13:54 2015 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Fri Jun 05 16:13:55 2015 +0000
tree: 110bf6cfc4aedf1a7dc2c0f1c4764517fc1bbb69
parent: 82e90e10481c334bb5f2cecf1621cb8f9308c21c [diff]
parent: 05ddc499b9d50c90f552ed1333110f28a1406e7c [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 4ef9fee..b44fea5 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -1724,7 +1724,14 @@
                 size = 0;
             }
 
+            if (SIZE_MAX - chunk_size <= size) {
+                return ERROR_MALFORMED;
+            }
+
             uint8_t *buffer = new uint8_t[size + chunk_size];
+            if (buffer == NULL) {
+                return ERROR_MALFORMED;
+            }
 
             if (size > 0) {
                 memcpy(buffer, data, size);
@@ -1762,6 +1769,10 @@
                     return ERROR_IO;
                 }
                 const int kSkipBytesOfDataBox = 16;
+                if (chunk_data_size <= kSkipBytesOfDataBox) {
+                    return ERROR_MALFORMED;
+                }
+
                 mFileMetaData->setData(
                     kKeyAlbumArt, MetaData::TYPE_NONE,
                     buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
commit	6ff53b96235bf99cdc1023b99d44f1c4cade1c0a	[log] [tgz]
author	Wei Jia <wjia@google.com>	Fri Jun 05 16:13:54 2015 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Fri Jun 05 16:13:55 2015 +0000
tree	110bf6cfc4aedf1a7dc2c0f1c4764517fc1bbb69
parent	82e90e10481c334bb5f2cecf1621cb8f9308c21c [diff]
parent	05ddc499b9d50c90f552ed1333110f28a1406e7c [diff]