Bug 1206211: P1. Ensure operation can't overflow. r=kentuckyfriedtakahe a=lizzard
authorJean-Yves Avenard <jyavenard@mozilla.com>
Thu, 03 Dec 2015 14:58:55 -0800
changeset 298572 3a00ac7ecacb81cf137b72b3c2c716033898e387
parent 298571 c383c019d1445c5ed4b71317a5a19bab867920f7
child 298573 c288fafdfb4fe809d3e57b964bfbcdd98ccd502c
push id962
push userjlund@mozilla.com
push dateFri, 04 Dec 2015 23:28:54 +0000
treeherdermozilla-release@23a2d286e80f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe, lizzard
bugs1206211
milestone43.0
Bug 1206211: P1. Ensure operation can't overflow. r=kentuckyfriedtakahe a=lizzard
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -502,20 +502,23 @@ status_t MPEG4Extractor::readMetaData() 
         mInitCheck = OK;
     } else {
         mInitCheck = err;
     }
 
     CHECK_NE(err, (status_t)NO_INIT);
 
     // copy pssh data into file metadata
-    int psshsize = 0;
+    uint64_t psshsize = 0;
     for (size_t i = 0; i < mPssh.Length(); i++) {
         psshsize += 20 + mPssh[i].datalen;
     }
+    if (psshsize > kMAX_ALLOCATION) {
+        return ERROR_MALFORMED;
+    }
     if (psshsize) {
         char *buf = (char*)malloc(psshsize);
         char *ptr = buf;
         for (size_t i = 0; i < mPssh.Length(); i++) {
             memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
             memcpy(ptr + 20, mPssh[i].data, mPssh[i].datalen);
             ptr += (20 + mPssh[i].datalen);
         }