am d77786c6: am a6c650a9: am 436b32d1: am d2605273: Ogg: avoid size_t overflow in base64 decoding

* commit 'd77786c699c3f846b57b8a8ea00f20749f550960':
  Ogg: avoid size_t overflow in base64 decoding

1 files changed, 15 insertions, 5 deletions

diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 45095fc..61af3c6 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -893,11 +893,14 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) {
         }
     }
 
-    size_t outLen = 3 * size / 4 - padding;
-
-    *outSize = outLen;
+    // We divide first to avoid overflow. It's OK to do this because we
+    // already made sure that size % 4 == 0.
+    size_t outLen = (size / 4) * 3 - padding;
 
     void *buffer = malloc(outLen);
+    if (buffer == NULL) {
+        return NULL;
+    }
 
     uint8_t *out = (uint8_t *)buffer;
     size_t j = 0;
@@ -916,10 +919,10 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) {
         } else if (c == '/') {
             value = 63;
         } else if (c != '=') {
-            return NULL;
+            break;
         } else {
             if (i < n - padding) {
-                return NULL;
+                break;
             }
 
             value = 0;
@@ -937,6 +940,13 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) {
         }
     }
 
+    // Check if we exited the loop early.
+    if (j < outLen) {
+        free(buffer);
+        return NULL;
+    }
+
+    *outSize = outLen;
     return (uint8_t *)buffer;
 }