commit c87faed60483afb2466e03892bda80b72e5822c7
author Joshua J. Drake <android-open-source@qoop.org> Mon May 04 17:14:11 2015 -0500
committer Nick Kralevich <nnk@google.com> Tue Aug 04 13:58:23 2015 -0700
tree ace05d3b571e33ebb187497647db39c797f8c62c
parent f1ce97ddc2f82d844a6fb8341585eb7b2e655f44

Fix integer underflow in covr MPEG4 processing

When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an
integer underflow can occur. This causes an extraordinarily large value to
be passed to MetaData::setData, leading to a buffer overflow.

Bug: 20923261
(cherry picked from commit 4a492bf2ac47b9844d2527e1fcdf0064c3d8d52e)

Change-Id: I83490cbaf5b368073fcd8668a9241dfc90bebd90

media/libstagefright/MPEG4Extractor.cpp

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index e0954cc..9c5859f 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -1444,6 +1444,10 @@
                     return ERROR_IO;
                 }
                 const int kSkipBytesOfDataBox = 16;
+                if (chunk_data_size <= kSkipBytesOfDataBox) {
+                    return ERROR_MALFORMED;
+                }
+
                 mFileMetaData->setData(
                     kKeyAlbumArt, MetaData::TYPE_NONE,
                     buffer + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);