Add more size checking for 'stss' box Test: run poc Bug: 124771364 Change-Id: Id34dea17f78715eb7c44a3959c654b0f09ead3fb

commit: 0db35529c7b1aaf7c08d59f22297781cf5195712 [log] [tgz]
author: Dongwon Kang <dwkang@google.com> Wed May 15 14:55:14 2019 -0700
committer: Bryan Ferris <bferris@google.com> Mon Feb 24 12:24:51 2020 -0800
tree: 46b0391c78791259d90ff1678b075fbdcba5d0f8
parent: f562ce8410c5ffa9b28023006d20e03588e0c39d [diff]
diff --git a/media/extractors/mp4/SampleTable.cpp b/media/extractors/mp4/SampleTable.cpp
index bf29bf1..6558033 100644
--- a/media/extractors/mp4/SampleTable.cpp
+++ b/media/extractors/mp4/SampleTable.cpp

@@ -540,6 +540,12 @@
     }
 
     uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t);
+    if (allocSize > data_size - 8) {
+        ALOGW("b/124771364 - allocSize(%lu) > size(%lu)",
+                (unsigned long)allocSize, (unsigned long)(data_size - 8));
+        android_errorWriteLog(0x534e4554, "124771364");
+        return ERROR_MALFORMED;
+    }
     if (allocSize > kMaxTotalSize) {
         ALOGE("Sync sample table size too large.");
         return ERROR_OUT_OF_RANGE;
commit	0db35529c7b1aaf7c08d59f22297781cf5195712	[log] [tgz]
author	Dongwon Kang <dwkang@google.com>	Wed May 15 14:55:14 2019 -0700
committer	Bryan Ferris <bferris@google.com>	Mon Feb 24 12:24:51 2020 -0800
tree	46b0391c78791259d90ff1678b075fbdcba5d0f8
parent	f562ce8410c5ffa9b28023006d20e03588e0c39d [diff]