Bug 1154683 - Fix potential size overflow. r=kentuckyfriedtakahe, a=sledru
authorJean-Yves Avenard <jyavenard@mozilla.com>
Mon, 20 Apr 2015 14:35:45 +1000
changeset 260231 22f8fa3a9273
parent 260230 92fb098ace7a
child 260232 90d2538212ab
child 260367 a5fe44c26c59
push id723
push userryanvm@gmail.com
push date2015-04-22 14:15 +0000
treeherdermozilla-release@22f8fa3a9273 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe, sledru
bugs1154683
milestone38.0
Bug 1154683 - Fix potential size overflow. r=kentuckyfriedtakahe, a=sledru
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -1838,16 +1838,20 @@ status_t MPEG4Extractor::parseChunk(off6
             uint32_t type;
             const void *data;
             size_t size = 0;
             if (!mLastTrack->meta->findData(
                     kKeyTextFormatData, &type, &data, &size)) {
                 size = 0;
             }
 
+            // Make sure (size + chunk_size) isn't going to overflow.
+            if (size > (size_t)-1 - chunk_size) {
+                return ERROR_MALFORMED;
+            }
             uint8_t *buffer = new uint8_t[size + chunk_size];
 
             if (size > 0) {
                 memcpy(buffer, data, size);
             }
 
             if ((size_t)(mDataSource->readAt(*offset, buffer + size, chunk_size))
                     < chunk_size) {
@@ -2684,16 +2688,21 @@ status_t MPEG4Source::parseChunk(off64_t
             // The smallest valid chunk is 16 bytes long in this case.
             return ERROR_MALFORMED;
         }
     } else if (chunk_size < 8) {
         // The smallest valid chunk is 8 bytes long.
         return ERROR_MALFORMED;
     }
 
+    if (chunk_size >= INT32_MAX - 128) {
+        // Could cause an overflow later. Abort.
+        return ERROR_MALFORMED;
+    }
+
     char chunk[5];
     MakeFourCCString(chunk_type, chunk);
     ALOGV("MPEG4Source chunk %s @ %llx", chunk, *offset);
 
     off64_t chunk_data_size = *offset + chunk_size - data_offset;
 
     switch(chunk_type) {