am e3cb2507: am 4b995f73: Merge "libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable." into lmp-dev

* commit 'e3cb25078b814b40f8e1506514bd17066935a51f': libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.
author: Wei Jia <wjia@google.com> 2015-08-20 04:36:50 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-08-20 04:36:50 +0000
commit: 238a487a0cf0fde606a27ea1f00bad5d92589161 (patch)
tree: 9d1b0fdc138a7e41ce7bbf69c8c599e5e4187f52 /media
parent: 4bb01def2c34e8b92a6640190b42f8555e989d60 (diff)
parent: e3cb25078b814b40f8e1506514bd17066935a51f (diff)
download: frameworks_av-238a487a0cf0fde606a27ea1f00bad5d92589161.zip
frameworks_av-238a487a0cf0fde606a27ea1f00bad5d92589161.tar.gz
frameworks_av-238a487a0cf0fde606a27ea1f00bad5d92589161.tar.bz2
2 files changed, 16 insertions, 3 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 0c7cba4..d7251f4 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -27,6 +27,11 @@
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/Utils.h>
 
+/* TODO: remove after being merged into other branches */
+#ifndef UINT32_MAX
+#define UINT32_MAX       (4294967295U)
+#endif
+
 namespace android {
 
 // static
@@ -282,6 +287,9 @@ status_t SampleTable::setSampleSizeParams(
 
     mDefaultSampleSize = U32_AT(&header[4]);
     mNumSampleSizes = U32_AT(&header[8]);
+    if (mNumSampleSizes > (UINT32_MAX - 12) / 16) {
+        return ERROR_MALFORMED;
+    }
 
     if (type == kSampleSizeType32) {
         mSampleSizeFieldSize = 32;
@@ -498,7 +506,7 @@ int SampleTable::CompareIncreasingTime(const void *_a, const void *_b) {
 void SampleTable::buildSampleEntriesTable() {
     Mutex::Autolock autoLock(mLock);
 
-    if (mSampleTimeEntries != NULL) {
+    if (mSampleTimeEntries != NULL || mNumSampleSizes == 0) {
         return;
     }
 
@@ -541,6 +549,10 @@ status_t SampleTable::findSampleAtTime(
         uint32_t *sample_index, uint32_t flags) {
     buildSampleEntriesTable();
 
+    if (mSampleTimeEntries == NULL) {
+        return ERROR_OUT_OF_RANGE;
+    }
+
     uint32_t left = 0;
     uint32_t right_plus_one = mNumSampleSizes;
     while (left < right_plus_one) {
diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h
index d06df7b..460492b 100644
--- a/media/libstagefright/include/SampleTable.h
+++ b/media/libstagefright/include/SampleTable.h
@@ -142,8 +142,9 @@ private:
     // normally we don't round
     inline uint64_t getSampleTime(
             size_t sample_index, uint64_t scale_num, uint64_t scale_den) const {
-        return (mSampleTimeEntries[sample_index].mCompositionTime
-            * scale_num) / scale_den;
+        return (sample_index < (size_t)mNumSampleSizes && mSampleTimeEntries != NULL
+                && scale_den != 0)
+                ? (mSampleTimeEntries[sample_index].mCompositionTime * scale_num) / scale_den : 0;
     }
 
     status_t getSampleSize_l(uint32_t sample_index, size_t *sample_size);
author	Wei Jia <wjia@google.com>	2015-08-20 04:36:50 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-08-20 04:36:50 +0000
commit	238a487a0cf0fde606a27ea1f00bad5d92589161 (patch)
tree	9d1b0fdc138a7e41ce7bbf69c8c599e5e4187f52 /media
parent	4bb01def2c34e8b92a6640190b42f8555e989d60 (diff)
parent	e3cb25078b814b40f8e1506514bd17066935a51f (diff)
download	frameworks_av-238a487a0cf0fde606a27ea1f00bad5d92589161.zip frameworks_av-238a487a0cf0fde606a27ea1f00bad5d92589161.tar.gz frameworks_av-238a487a0cf0fde606a27ea1f00bad5d92589161.tar.bz2