Fix integer overflow when handling MPEG4 tx3g atom When the sum of the 'size' and 'chunk_size' variables is larger than 2^32, an integer overflow occurs. Using the result value to allocate memory leads to an undersized buffer allocation and later a potentially exploitable heap corruption condition. Ensure that integer overflow does not occur. Bug: 20923261 Change-Id: Id050a36b33196864bdd98b5ea24241f95a0b5d1f

commit: 93ba37d2fe2cd952723419705e8223429ac8d3b0 [log] [tgz]
author: Joshua J. Drake <android-open-source@qoop.org> Mon May 04 18:29:08 2015 -0500
committer: The Android Automerger <android-build@android.com> Mon Jul 27 12:38:01 2015 -0700
tree: de4b3adc9d7e35fd4473c8dc564e8b260cacae3f
parent: 6e7e30d4608c02a8869a71a3833f186dddc12896 [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 5221843..7354d6f 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -1893,7 +1893,11 @@
                 size = 0;
             }
 
-            uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size];
+            if (SIZE_MAX - chunk_size <= size) {
+                return ERROR_MALFORMED;
+            }
+
+            uint8_t *buffer = new uint8_t[size + chunk_size];
             if (buffer == NULL) {
                 return ERROR_MALFORMED;
             }
commit	93ba37d2fe2cd952723419705e8223429ac8d3b0	[log] [tgz]
author	Joshua J. Drake <android-open-source@qoop.org>	Mon May 04 18:29:08 2015 -0500
committer	The Android Automerger <android-build@android.com>	Mon Jul 27 12:38:01 2015 -0700
tree	de4b3adc9d7e35fd4473c8dc564e8b260cacae3f
parent	6e7e30d4608c02a8869a71a3833f186dddc12896 [diff]