summaryrefslogtreecommitdiffstats
path: root/media/libstagefright
diff options
context:
space:
mode:
authorWonsik Kim <wonsik@google.com>2016-07-21 14:43:38 +0900
committergitbuildkicker <android-build@google.com>2016-08-01 14:24:35 -0700
commit6679b5088f36693f5708dcaedd0c9ab7c66df27c (patch)
tree69f5de660f663fb0435197fa9d1b28dc5e0677e4 /media/libstagefright
parentc174665ec2f19904550daeb65d08f4959654d9a4 (diff)
downloadframeworks_av-6679b5088f36693f5708dcaedd0c9ab7c66df27c.zip
frameworks_av-6679b5088f36693f5708dcaedd0c9ab7c66df27c.tar.gz
frameworks_av-6679b5088f36693f5708dcaedd0c9ab7c66df27c.tar.bz2
DO NOT MERGE - stagefright: fix integer overflow error
Bug: 30103394 Change-Id: If449d3e30a0bf2ebea5317f41813bfed094f7408 (cherry picked from commit 2c74a3cd5d1d66b9a35424b9c4443dafa6db5bef)
Diffstat (limited to 'media/libstagefright')
-rw-r--r--media/libstagefright/SampleTable.cpp29
1 files changed, 15 insertions, 14 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index bc01a2d..72e30f1 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -18,6 +18,8 @@
//#define LOG_NDEBUG 0
#include <utils/Log.h>
+#include <limits>
+
#include "include/SampleTable.h"
#include "include/SampleIterator.h"
@@ -27,11 +29,6 @@
#include <media/stagefright/DataSource.h>
#include <media/stagefright/Utils.h>
-/* TODO: remove after being merged into other branches */
-#ifndef UINT32_MAX
-#define UINT32_MAX (4294967295U)
-#endif
-
namespace android {
// static
@@ -45,6 +42,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2');
////////////////////////////////////////////////////////////////////////////////
+const off64_t kMaxOffset = std::numeric_limits<off64_t>::max();
+
struct SampleTable::CompositionDeltaLookup {
CompositionDeltaLookup();
@@ -233,11 +232,11 @@ status_t SampleTable::setSampleToChunkParams(
mNumSampleToChunkOffsets = U32_AT(&header[4]);
- if (data_size < 8 + mNumSampleToChunkOffsets * 12) {
+ if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) {
return ERROR_MALFORMED;
}
- if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <=
+ if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <=
(uint64_t)mNumSampleToChunkOffsets) {
ALOGE("Sample-to-chunk table size too large.");
return ERROR_OUT_OF_RANGE;
@@ -269,16 +268,19 @@ status_t SampleTable::setSampleToChunkParams(
return OK;
}
- if ((off64_t)(SIZE_MAX - 8 -
+ if ((off64_t)(kMaxOffset - 8 -
((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry)))
< mSampleToChunkOffset) {
return ERROR_MALFORMED;
}
for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {
- uint8_t buffer[12];
+ uint8_t buffer[sizeof(SampleToChunkEntry)];
+
if (mDataSource->readAt(
- mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer))
+ mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry),
+ buffer,
+ sizeof(buffer))
!= (ssize_t)sizeof(buffer)) {
return ERROR_IO;
}
@@ -378,8 +380,7 @@ status_t SampleTable::setTimeToSampleParams(
}
mTimeToSampleCount = U32_AT(&header[4]);
- if ((uint64_t)mTimeToSampleCount >
- (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) {
+ if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) {
// Choose this bound because
// 1) 2 * sizeof(uint32_t) is the amount of memory needed for one
// time-to-sample entry in the time-to-sample table.
@@ -455,7 +456,7 @@ status_t SampleTable::setCompositionTimeToSampleParams(
mNumCompositionTimeDeltaEntries = numEntries;
uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t);
- if (allocSize > SIZE_MAX) {
+ if (allocSize > kMaxTotalSize) {
ALOGE("Composition-time-to-sample table size too large.");
return ERROR_OUT_OF_RANGE;
}
@@ -522,7 +523,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
}
uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t);
- if (allocSize > SIZE_MAX) {
+ if (allocSize > kMaxTotalSize) {
ALOGE("Sync sample table size too large.");
return ERROR_OUT_OF_RANGE;
}