From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001
From: Gerald Squelart <gsquelart@mozilla.com>
Date: Wed, 9 Dec 2015 10:00:32 +0100
Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
 r=rillian, a=sylvestre

Found only one other use that needed better checks: the size of the pssh
data was only checked after all items were added up; so it would be
possible to create a set of big items such that they create an overflow,
but the final sum looks reasonable.
Instead each item size should be checked, and the sum should also be
checked at each step.
---
 .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp          | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index a69fc14..413a495 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() {
     uint64_t psshsize = 0;
     for (size_t i = 0; i < mPssh.size(); i++) {
         psshsize += 20 + mPssh[i].datalen;
-    }
-    if (psshsize > kMAX_ALLOCATION) {
-        return ERROR_MALFORMED;
+        if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
+            psshsize > kMAX_ALLOCATION) {
+            return ERROR_MALFORMED;
+        }
     }
     if (psshsize) {
         char *buf = (char*)malloc(psshsize);
-- 
2.6.3