Bug 1154683 - Fix potential size overflow. r=kentuckyfriedtakahe, a=lmandel
authorJean-Yves Avenard <jyavenard@mozilla.com>
Mon, 20 Apr 2015 14:35:45 +1000
changeset 265701 4131212a78cedf48e0c5522556962e71a37f4abc
parent 265700 d5adf3a788c8bb690640531de2b089f100115eb6
child 265702 678bcebcb8a59341840486bcd10e72c86491cb95
push id4718
push userraliiev@mozilla.com
push dateMon, 11 May 2015 18:39:53 +0000
treeherdermozilla-beta@c20c4ef55f08 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe, lmandel
bugs1154683
milestone39.0a2
Bug 1154683 - Fix potential size overflow. r=kentuckyfriedtakahe, a=lmandel
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -1838,16 +1838,20 @@ status_t MPEG4Extractor::parseChunk(off6
             uint32_t type;
             const void *data;
             size_t size = 0;
             if (!mLastTrack->meta->findData(
                     kKeyTextFormatData, &type, &data, &size)) {
                 size = 0;
             }
 
+            // Make sure (size + chunk_size) isn't going to overflow.
+            if (size > (size_t)-1 - chunk_size) {
+                return ERROR_MALFORMED;
+            }
             uint8_t *buffer = new uint8_t[size + chunk_size];
 
             if (size > 0) {
                 memcpy(buffer, data, size);
             }
 
             if ((size_t)(mDataSource->readAt(*offset, buffer + size, chunk_size))
                     < chunk_size) {
@@ -2684,16 +2688,21 @@ status_t MPEG4Source::parseChunk(off64_t
             // The smallest valid chunk is 16 bytes long in this case.
             return ERROR_MALFORMED;
         }
     } else if (chunk_size < 8) {
         // The smallest valid chunk is 8 bytes long.
         return ERROR_MALFORMED;
     }
 
+    if (chunk_size >= INT32_MAX - 128) {
+        // Could cause an overflow later. Abort.
+        return ERROR_MALFORMED;
+    }
+
     char chunk[5];
     MakeFourCCString(chunk_type, chunk);
     ALOGV("MPEG4Source chunk %s @ %llx", chunk, *offset);
 
     off64_t chunk_data_size = *offset + chunk_size - data_offset;
 
     switch(chunk_type) {