diff options
| author | Abhishek Arya <aarya@google.com> | 2015-08-20 01:16:04 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-20 01:16:04 +0000 |
| commit | 90be27c638576fa5fb3f279e51b013ee3fbe463b (patch) | |
| tree | 17e05ec8949ea1fec84b65ec5524864e8c788ca3 /media/libstagefright/codecs/m4v_h263/dec | |
| parent | f81667bc5f7c7114c5cdfb39b6b8017854632be8 (diff) | |
| parent | 4c5695d820723d9ce7f097fb6c40c09f21b13cd1 (diff) | |
| download | frameworks_av-90be27c638576fa5fb3f279e51b013ee3fbe463b.zip frameworks_av-90be27c638576fa5fb3f279e51b013ee3fbe463b.tar.gz frameworks_av-90be27c638576fa5fb3f279e51b013ee3fbe463b.tar.bz2 | |
am 4c5695d8: am f248e3ae: am 8369ac13: am 33235986: am 09c29ec4: am 94c1969c: Merge "libstagefright: check memory size for overflow before allocation." into klp-dev
* commit '4c5695d820723d9ce7f097fb6c40c09f21b13cd1':
libstagefright: check memory size for overflow before allocation.
Diffstat (limited to 'media/libstagefright/codecs/m4v_h263/dec')
| -rw-r--r-- | media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp index 90d7c6b..af19bfe 100644 --- a/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp +++ b/media/libstagefright/codecs/m4v_h263/dec/src/pvdec_api.cpp @@ -95,6 +95,11 @@ OSCL_EXPORT_REF Bool PVInitVideoDecoder(VideoDecControls *decCtrl, uint8 *volbuf #ifdef DEC_INTERNAL_MEMORY_OPT video->vol = (Vol **) IMEM_VOL; #else + if ((size_t)nLayers > SIZE_MAX / sizeof(Vol *)) { + status = PV_FALSE; + goto fail; + } + video->vol = (Vol **) oscl_malloc(nLayers * sizeof(Vol *)); #endif if (video->vol == NULL) status = PV_FALSE; @@ -128,6 +133,11 @@ OSCL_EXPORT_REF Bool PVInitVideoDecoder(VideoDecControls *decCtrl, uint8 *volbuf else oscl_memset(video->prevVop, 0, sizeof(Vop)); video->memoryUsage += (sizeof(Vop) * 2); + if ((size_t)nLayers > SIZE_MAX / sizeof(Vop *)) { + status = PV_FALSE; + goto fail; + } + video->vopHeader = (Vop **) oscl_malloc(sizeof(Vop *) * nLayers); #endif if (video->vopHeader == NULL) status = PV_FALSE; @@ -277,6 +287,7 @@ OSCL_EXPORT_REF Bool PVInitVideoDecoder(VideoDecControls *decCtrl, uint8 *volbuf status = PV_FALSE; } +fail: if (status == PV_FALSE) PVCleanUpVideoDecoder(decCtrl); return status; @@ -305,6 +316,10 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay video->nMBPerRow * video->nMBPerCol; } + if (((uint64_t)video->width * video->height) > (uint64_t)INT32_MAX / sizeof(PIXEL)) { + return PV_FALSE; + } + size = (int32)sizeof(PIXEL) * video->width * video->height; #ifdef PV_MEMORY_POOL decCtrl->size = size; @@ -320,6 +335,9 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay video->prevVop->uChan = video->prevVop->yChan + size; video->prevVop->vChan = video->prevVop->uChan + (size >> 2); #else + if (size > INT32_MAX / 3 * 2) { + return PV_FALSE; + } video->currVop->yChan = (PIXEL *) oscl_malloc(size * 3 / 2); /* Allocate memory for all VOP OKA 3/2/1*/ if (video->currVop->yChan == NULL) status = PV_FALSE; @@ -347,6 +365,10 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay { oscl_memset(video->prevEnhcVop, 0, sizeof(Vop)); #ifndef PV_MEMORY_POOL + if (size > INT32_MAX / 3 * 2) { + return PV_FALSE; + } + video->prevEnhcVop->yChan = (PIXEL *) oscl_malloc(size * 3 / 2); /* Allocate memory for all VOP OKA 3/2/1*/ if (video->prevEnhcVop->yChan == NULL) status = PV_FALSE; video->prevEnhcVop->uChan = video->prevEnhcVop->yChan + size; @@ -403,10 +425,17 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay if (video->acPredFlag == NULL) status = PV_FALSE; video->memoryUsage += (nTotalMB); + if ((size_t)nTotalMB > SIZE_MAX / sizeof(typeDCStore)) { + return PV_FALSE; + } video->predDC = (typeDCStore *) oscl_malloc(nTotalMB * sizeof(typeDCStore)); if (video->predDC == NULL) status = PV_FALSE; video->memoryUsage += (nTotalMB * sizeof(typeDCStore)); + if (nMBPerRow > INT32_MAX - 1 + || (size_t)(nMBPerRow + 1) > SIZE_MAX / sizeof(typeDCACStore)) { + return PV_FALSE; + } video->predDCAC_col = (typeDCACStore *) oscl_malloc((nMBPerRow + 1) * sizeof(typeDCACStore)); if (video->predDCAC_col == NULL) status = PV_FALSE; video->memoryUsage += ((nMBPerRow + 1) * sizeof(typeDCACStore)); @@ -422,6 +451,10 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay video->headerInfo.CBP = (uint8 *) oscl_malloc(nTotalMB); if (video->headerInfo.CBP == NULL) status = PV_FALSE; video->memoryUsage += nTotalMB; + + if ((size_t)nTotalMB > SIZE_MAX / sizeof(int16)) { + return PV_FALSE; + } video->QPMB = (int16 *) oscl_malloc(nTotalMB * sizeof(int16)); if (video->QPMB == NULL) status = PV_FALSE; video->memoryUsage += (nTotalMB * sizeof(int)); @@ -439,6 +472,9 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay video->memoryUsage += sizeof(MacroBlock); } /* Allocating motion vector space */ + if ((size_t)nTotalMB > SIZE_MAX / (sizeof(MOT) * 4)) { + return PV_FALSE; + } video->motX = (MOT *) oscl_malloc(sizeof(MOT) * 4 * nTotalMB); if (video->motX == NULL) status = PV_FALSE; video->motY = (MOT *) oscl_malloc(sizeof(MOT) * 4 * nTotalMB); @@ -472,6 +508,9 @@ Bool PVAllocVideoData(VideoDecControls *decCtrl, int width, int height, int nLay } #else + if (nTotalMB > INT32_MAX / 6) { + return PV_FALSE; + } video->pstprcTypCur = (uint8 *) oscl_malloc(nTotalMB * 6); video->memoryUsage += (nTotalMB * 6); if (video->pstprcTypCur == NULL) |