Fix integer underflow in covr MPEG4 processing When the 'chunk_data_size' variable is less than 'kSkipBytesOfDataBox', an integer underflow can occur. This causes an extraordinarily large value to be passed to MetaData::setData, leading to a buffer overflow. Bug: 20923261 Change-Id: Icd28f63594ad941eabb3a12c750a4a2d5d2bf94b

commit: f4a88c8ed4f8186b3d6e2852993e063fc33ff231 [log] [tgz]
author: Joshua J. Drake <android-open-source@qoop.org> Mon May 04 17:14:11 2015 -0500
committer: The Android Automerger <android-build@google.com> Thu Jul 09 14:03:00 2015 -0700
tree: cc62d67d586327578eae760574d93ccab2377a46
parent: 3cb1b6944e776863aea316e25fdc16d7f9962902 [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 9689ce4..5221843 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -1934,6 +1934,10 @@
                     return ERROR_IO;
                 }
                 const int kSkipBytesOfDataBox = 16;
+                if (chunk_data_size <= kSkipBytesOfDataBox) {
+                    return ERROR_MALFORMED;
+                }
+
                 mFileMetaData->setData(
                     kKeyAlbumArt, MetaData::TYPE_NONE,
                     buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
commit	f4a88c8ed4f8186b3d6e2852993e063fc33ff231	[log] [tgz]
author	Joshua J. Drake <android-open-source@qoop.org>	Mon May 04 17:14:11 2015 -0500
committer	The Android Automerger <android-build@google.com>	Thu Jul 09 14:03:00 2015 -0700
tree	cc62d67d586327578eae760574d93ccab2377a46
parent	3cb1b6944e776863aea316e25fdc16d7f9962902 [diff]