diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:23:55 -0500 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2015-04-09 17:34:16 -0700 |
| commit | e2e812e58e8d2716b00d7d82db99b08d3afb4b32 (patch) | |
| tree | 8cad47288e56acea506594453134abcc40763c1c /media/libstagefright/SampleTable.cpp | |
| parent | e3e82d54c51a3130badcd9e433fe808d965f15c2 (diff) | |
| download | frameworks_av-e2e812e58e8d2716b00d7d82db99b08d3afb4b32.zip frameworks_av-e2e812e58e8d2716b00d7d82db99b08d3afb4b32.tar.gz frameworks_av-e2e812e58e8d2716b00d7d82db99b08d3afb4b32.tar.bz2 | |
Fix several ineffective integer overflow checks
Commit edd4a76 (which addressed bugs 15328708, 15342615, 15342751) added
several integer overflow checks. Unfortunately, those checks fail to take into
account integer promotion rules and are thus themselves subject to an integer
overflow. Cast the sizeof() operator to a uint64_t to force promotion while
multiplying.
Bug: 20139950
Change-Id: Ieb29a170edb805c722fc5658935f2390003e5260
Diffstat (limited to 'media/libstagefright/SampleTable.cpp')
| -rw-r--r-- | media/libstagefright/SampleTable.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index bdd6d56..b572af3 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -330,7 +330,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t); + uint64_t allocSize = mTimeToSampleCount * 2 * (uint64_t)sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } @@ -376,7 +376,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( } mNumCompositionTimeDeltaEntries = numEntries; - uint64_t allocSize = numEntries * 2 * sizeof(uint32_t); + uint64_t allocSize = numEntries * 2 * (uint64_t)sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } @@ -426,7 +426,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = mNumSyncSamples * sizeof(uint32_t); + uint64_t allocSize = mNumSyncSamples * (uint64_t)sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } |