33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
|
|
From: Jean-Yves Avenard <jyavenard@mozilla.com>
|
|
Date: Wed, 9 Dec 2015 09:54:58 +0100
|
|
Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
|
|
r=kentuckyfriedtakahe, a=sylvestre
|
|
|
|
---
|
|
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
|
|
index 22163fa..318152a 100644
|
|
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
|
|
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
|
|
@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
|
|
CHECK_NE(err, (status_t)NO_INIT);
|
|
|
|
// copy pssh data into file metadata
|
|
- int psshsize = 0;
|
|
+ uint64_t psshsize = 0;
|
|
for (size_t i = 0; i < mPssh.size(); i++) {
|
|
psshsize += 20 + mPssh[i].datalen;
|
|
}
|
|
+ if (psshsize > kMAX_ALLOCATION) {
|
|
+ return ERROR_MALFORMED;
|
|
+ }
|
|
if (psshsize) {
|
|
char *buf = (char*)malloc(psshsize);
|
|
char *ptr = buf;
|
|
--
|
|
2.6.3
|
|
|