Merge "FP2-1575: libstagefright: fix overflow in MPEG4Source::parse" into fp2-dev-v2
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 48c540d..998465d 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -85,6 +85,10 @@
#include "include/ID3.h"
#include "include/ExtendedUtils.h"
+#ifndef UINT32_MAX
+#define UINT32_MAX (4294967295U)
+#endif
+
#if defined(DOLBY_UDC) && defined(DEBUG_LOG_DDP_DECODER_EXTRA)
#define DLOGD ALOGD
#else
@@ -3543,12 +3547,26 @@
return ERROR_IO;
}
offset += 4;
+ if (entrycount == 0) {
+ return OK;
+ }
+ if (entrycount > UINT32_MAX / 8) {
+ return ERROR_MALFORMED;
+ }
if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {
- mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+ uint64_t *newPtr = (uint64_t *)realloc(mCurrentSampleInfoOffsets, entrycount * 8);
+ if (newPtr == NULL) {
+ return NO_MEMORY;
+ }
+ mCurrentSampleInfoOffsets = newPtr;
mCurrentSampleInfoOffsetsAllocSize = entrycount;
}
mCurrentSampleInfoOffsetCount = entrycount;
+
+ if (mCurrentSampleInfoOffsets == NULL) {
+ return OK;
+ }
for (size_t i = 0; i < entrycount; i++) {
if (version == 0) {