Merge "libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable." into lmp-dev

author: Wei Jia <wjia@google.com> 2015-08-20 04:25:47 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2015-08-20 04:25:47 +0000
commit: 4b995f73b581ce0705b537317f32ad76bddb55fa (patch)
tree: fbef9d0625edd8e0c489b88061026c04c292fad1
parent: a9b3cd3c101b68522a3d8492cb3a19d8b5409329 (diff)
parent: 5a132594b531f1f48098a790927f82080cc27f61 (diff)
download: frameworks_av-4b995f73b581ce0705b537317f32ad76bddb55fa.zip
frameworks_av-4b995f73b581ce0705b537317f32ad76bddb55fa.tar.gz
frameworks_av-4b995f73b581ce0705b537317f32ad76bddb55fa.tar.bz2
2 files changed, 16 insertions, 3 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 0c7cba4..d7251f4 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -27,6 +27,11 @@
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/Utils.h>
 
+/* TODO: remove after being merged into other branches */
+#ifndef UINT32_MAX
+#define UINT32_MAX       (4294967295U)
+#endif
+
 namespace android {
 
 // static
@@ -282,6 +287,9 @@ status_t SampleTable::setSampleSizeParams(
 
     mDefaultSampleSize = U32_AT(&header[4]);
     mNumSampleSizes = U32_AT(&header[8]);
+    if (mNumSampleSizes > (UINT32_MAX - 12) / 16) {
+        return ERROR_MALFORMED;
+    }
 
     if (type == kSampleSizeType32) {
         mSampleSizeFieldSize = 32;
@@ -498,7 +506,7 @@ int SampleTable::CompareIncreasingTime(const void *_a, const void *_b) {
 void SampleTable::buildSampleEntriesTable() {
     Mutex::Autolock autoLock(mLock);
 
-    if (mSampleTimeEntries != NULL) {
+    if (mSampleTimeEntries != NULL || mNumSampleSizes == 0) {
         return;
     }
 
@@ -541,6 +549,10 @@ status_t SampleTable::findSampleAtTime(
         uint32_t *sample_index, uint32_t flags) {
     buildSampleEntriesTable();
 
+    if (mSampleTimeEntries == NULL) {
+        return ERROR_OUT_OF_RANGE;
+    }
+
     uint32_t left = 0;
     uint32_t right_plus_one = mNumSampleSizes;
     while (left < right_plus_one) {
diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h
index d06df7b..460492b 100644
--- a/media/libstagefright/include/SampleTable.h
+++ b/media/libstagefright/include/SampleTable.h
@@ -142,8 +142,9 @@ private:
     // normally we don't round
     inline uint64_t getSampleTime(
             size_t sample_index, uint64_t scale_num, uint64_t scale_den) const {
-        return (mSampleTimeEntries[sample_index].mCompositionTime
-            * scale_num) / scale_den;
+        return (sample_index < (size_t)mNumSampleSizes && mSampleTimeEntries != NULL
+                && scale_den != 0)
+                ? (mSampleTimeEntries[sample_index].mCompositionTime * scale_num) / scale_den : 0;
     }
 
     status_t getSampleSize_l(uint32_t sample_index, size_t *sample_size);
author	Wei Jia <wjia@google.com>	2015-08-20 04:25:47 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2015-08-20 04:25:47 +0000
commit	4b995f73b581ce0705b537317f32ad76bddb55fa (patch)
tree	fbef9d0625edd8e0c489b88061026c04c292fad1
parent	a9b3cd3c101b68522a3d8492cb3a19d8b5409329 (diff)
parent	5a132594b531f1f48098a790927f82080cc27f61 (diff)
download	frameworks_av-4b995f73b581ce0705b537317f32ad76bddb55fa.zip frameworks_av-4b995f73b581ce0705b537317f32ad76bddb55fa.tar.gz frameworks_av-4b995f73b581ce0705b537317f32ad76bddb55fa.tar.bz2