Fix integer overflow during MP4 atom processing A few sample table related FourCC values are handled by the setSampleToChunkParams function. An integer overflow exists within this function. Validate that mNumSampleToChunkOffets will not cause an integer overflow. Bug: 20139950 Change-Id: I1972cc185fce5e058afa143ad5eabcc269ad324d

commit: c24607c29c96f939aed9e33bfa702b1dd79da4b7 [log] [tgz]
author: Joshua J. Drake <android-open-source@qoop.org> Wed Apr 08 23:44:57 2015 -0500
committer: Nick Kralevich <nnk@google.com> Thu Apr 09 17:34:16 2015 -0700
tree: 308a07dbcde69ced72f36758ac24b6506e7ad8ed
parent: ad435371a4b95e16ceb49ab28efc04da8b3680e1 [diff]
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index bfae474..aba64d5 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp

@@ -230,6 +230,9 @@
         return ERROR_MALFORMED;
     }
 
+    if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets)
+        return ERROR_OUT_OF_RANGE;
+
     mSampleToChunkEntries =
         new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets];
     if (!mSampleToChunkEntries)
commit	c24607c29c96f939aed9e33bfa702b1dd79da4b7	[log] [tgz]
author	Joshua J. Drake <android-open-source@qoop.org>	Wed Apr 08 23:44:57 2015 -0500
committer	Nick Kralevich <nnk@google.com>	Thu Apr 09 17:34:16 2015 -0700
tree	308a07dbcde69ced72f36758ac24b6506e7ad8ed
parent	ad435371a4b95e16ceb49ab28efc04da8b3680e1 [diff]