From 305f63eb742ee8ddf2fcab87dd726b8bee3b0106 Mon Sep 17 00:00:00 2001
From: Gerald Squelart <gsquelart@mozilla.com>
Date: Wed, 11 Nov 2015 12:36:26 +0100
Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
 r=rillian

Found only one other use that needed better checks: the size of the pssh
data was only checked after all items were added up; so it would be
possible to create a set of big items such that they create an overflow,
but the final sum looks reasonable.
Instead each item size should be checked, and the sum should also be
checked at each step.
---
 .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index ff8420059d62..d498288e9fff 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -514,9 +514,10 @@ status_t MPEG4Extractor::readMetaData() {
     uint64_t psshsize = 0;
     for (size_t i = 0; i < mPssh.Length(); i++) {
         psshsize += 20 + mPssh[i].datalen;
-    }
-    if (psshsize > kMAX_ALLOCATION) {
-        return ERROR_MALFORMED;
+        if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
+            psshsize > kMAX_ALLOCATION) {
+            return ERROR_MALFORMED;
+        }
     }
     if (psshsize) {
         char *buf = (char*)malloc(psshsize);