diff options
author | Wonsik Kim <wonsik@google.com> | 2015-09-07 15:52:27 +0900 |
---|---|---|
committer | Wonsik Kim <wonsik@google.com> | 2015-09-18 14:20:15 +0900 |
commit | 12d4a6a2636f41d1ee1bc10a23df13ce09efbff6 (patch) | |
tree | 05f56e70007b9fdd0df14a7f72e69c755ea33df8 /media/libstagefright/foundation | |
parent | dffe5cdb436987a65a9010460979507c06b5c904 (diff) | |
download | frameworks_av-12d4a6a2636f41d1ee1bc10a23df13ce09efbff6.zip frameworks_av-12d4a6a2636f41d1ee1bc10a23df13ce09efbff6.tar.gz frameworks_av-12d4a6a2636f41d1ee1bc10a23df13ce09efbff6.tar.bz2 |
DO NOT MERGE Avoid size_t overflow in base64 decoding once again
Switch to foundation base64 function in OggExtractor and fix the
issue there.
Bug: 23707088
Change-Id: If8ba3347c213fe7a36668c943ed264f2871ad468
Diffstat (limited to 'media/libstagefright/foundation')
-rw-r--r-- | media/libstagefright/foundation/base64.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/media/libstagefright/foundation/base64.cpp b/media/libstagefright/foundation/base64.cpp index dcf5bef..7da7db9 100644 --- a/media/libstagefright/foundation/base64.cpp +++ b/media/libstagefright/foundation/base64.cpp @@ -22,11 +22,11 @@ namespace android { sp<ABuffer> decodeBase64(const AString &s) { - if ((s.size() % 4) != 0) { + size_t n = s.size(); + if ((n % 4) != 0) { return NULL; } - size_t n = s.size(); size_t padding = 0; if (n >= 1 && s.c_str()[n - 1] == '=') { padding = 1; @@ -40,11 +40,16 @@ sp<ABuffer> decodeBase64(const AString &s) { } } - size_t outLen = 3 * s.size() / 4 - padding; + // We divide first to avoid overflow. It's OK to do this because we + // already made sure that n % 4 == 0. + size_t outLen = (n / 4) * 3 - padding; sp<ABuffer> buffer = new ABuffer(outLen); uint8_t *out = buffer->data(); + if (out == NULL || buffer->size() < outLen) { + return NULL; + } size_t j = 0; uint32_t accum = 0; for (size_t i = 0; i < n; ++i) { |