diff options
author | Wonsik Kim <wonsik@google.com> | 2015-09-03 09:54:28 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-09-03 09:54:28 +0000 |
commit | 3f79dbfcb1a62c28094b403ba954ab4543d709f7 (patch) | |
tree | 31568a00572464d290bec403d071720fe0f8e42b /media/libstagefright/OggExtractor.cpp | |
parent | 66b24004345ff8a688e8548409b0b7d5a8902232 (diff) | |
parent | d77786c699c3f846b57b8a8ea00f20749f550960 (diff) | |
download | frameworks_av-3f79dbfcb1a62c28094b403ba954ab4543d709f7.zip frameworks_av-3f79dbfcb1a62c28094b403ba954ab4543d709f7.tar.gz frameworks_av-3f79dbfcb1a62c28094b403ba954ab4543d709f7.tar.bz2 |
am d77786c6: am a6c650a9: am 436b32d1: am d2605273: Ogg: avoid size_t overflow in base64 decoding
* commit 'd77786c699c3f846b57b8a8ea00f20749f550960':
Ogg: avoid size_t overflow in base64 decoding
Diffstat (limited to 'media/libstagefright/OggExtractor.cpp')
-rw-r--r-- | media/libstagefright/OggExtractor.cpp | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp index 45095fc..61af3c6 100644 --- a/media/libstagefright/OggExtractor.cpp +++ b/media/libstagefright/OggExtractor.cpp @@ -893,11 +893,14 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { } } - size_t outLen = 3 * size / 4 - padding; - - *outSize = outLen; + // We divide first to avoid overflow. It's OK to do this because we + // already made sure that size % 4 == 0. + size_t outLen = (size / 4) * 3 - padding; void *buffer = malloc(outLen); + if (buffer == NULL) { + return NULL; + } uint8_t *out = (uint8_t *)buffer; size_t j = 0; @@ -916,10 +919,10 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { } else if (c == '/') { value = 63; } else if (c != '=') { - return NULL; + break; } else { if (i < n - padding) { - return NULL; + break; } value = 0; @@ -937,6 +940,13 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { } } + // Check if we exited the loop early. + if (j < outLen) { + free(buffer); + return NULL; + } + + *outSize = outLen; return (uint8_t *)buffer; } |