diff options
author | Robert Shih <robertshih@google.com> | 2014-09-10 19:41:45 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-09-10 19:41:45 +0000 |
commit | 74abb1ae32fbd3fa4112cc8b8d53882777feb191 (patch) | |
tree | 1c1a1387d466d7bd1e47f1c7ad845c3e8995f9a0 /media | |
parent | 25bab830af062dcaef6f75220066b221fd30957e (diff) | |
parent | 482b18bbfd6c9214157bfab47feae86df48a7178 (diff) | |
download | frameworks_av-74abb1ae32fbd3fa4112cc8b8d53882777feb191.zip frameworks_av-74abb1ae32fbd3fa4112cc8b8d53882777feb191.tar.gz frameworks_av-74abb1ae32fbd3fa4112cc8b8d53882777feb191.tar.bz2 |
am 482b18bb: am f106b199: SampleTable: check integer overflow during table alloc
* commit '482b18bbfd6c9214157bfab47feae86df48a7178':
SampleTable: check integer overflow during table alloc
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index d9858d7..8dfa365 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); + uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t); + if (allocSize > SIZE_MAX) { + return ERROR_OUT_OF_RANGE; + } mTimeToSample = new uint32_t[mTimeToSampleCount * 2]; size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; @@ -372,6 +376,11 @@ status_t SampleTable::setCompositionTimeToSampleParams( } mNumCompositionTimeDeltaEntries = numEntries; + uint64_t allocSize = numEntries * 2 * sizeof(uint32_t); + if (allocSize > SIZE_MAX) { + return ERROR_OUT_OF_RANGE; + } + mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries]; if (mDataSource->readAt( @@ -417,6 +426,11 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) ALOGV("Table of sync samples is empty or has only a single entry!"); } + uint64_t allocSize = mNumSyncSamples * sizeof(uint32_t); + if (allocSize > SIZE_MAX) { + return ERROR_OUT_OF_RANGE; + } + mSyncSamples = new uint32_t[mNumSyncSamples]; size_t size = mNumSyncSamples * sizeof(uint32_t); if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size) |