diff options
| author | Marco Nelissen <marcone@google.com> | 2017-01-12 15:49:04 -0800 |
|---|---|---|
| committer | Sean McCreary <mccreary@mcwest.org> | 2017-03-22 12:36:46 -0600 |
| commit | 85473b3d8e9a5ed76a431924b21b0b10e19bc7a0 (patch) | |
| tree | 10e70e6032ddb00083947113022add193aad98aa /media | |
| parent | cd5482bfac57ad358b663dff6adcc3582038c51a (diff) | |
| download | frameworks_av-85473b3d8e9a5ed76a431924b21b0b10e19bc7a0.zip frameworks_av-85473b3d8e9a5ed76a431924b21b0b10e19bc7a0.tar.gz frameworks_av-85473b3d8e9a5ed76a431924b21b0b10e19bc7a0.tar.bz2 | |
Don't initialize sync sample parameters until the end
to avoid leaving them in a partially initialized state.
Bug: 33137046
Test: ran CTS tests
CVE-2017-0483
Change-Id: I1f5c070233c5917d85da9e930e01a3fc51a0a0ec
(cherry picked from commit a9660fe122ca382e1777e0c5d3c42ca67ffb0377)
(cherry picked from commit bc62c086e9ba7530723dc8874b83159f4d77d976)
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/SampleTable.cpp | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 8a38c24..2d7e613 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -512,8 +512,6 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_MALFORMED; } - mSyncSampleOffset = data_offset; - uint8_t header[8]; if (mDataSource->readAt( data_offset, header, sizeof(header)) < (ssize_t)sizeof(header)) { @@ -525,13 +523,13 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_MALFORMED; } - mNumSyncSamples = U32_AT(&header[4]); + uint32_t numSyncSamples = U32_AT(&header[4]); - if (mNumSyncSamples < 2) { + if (numSyncSamples < 2) { ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); + uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; @@ -549,22 +547,27 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_OUT_OF_RANGE; } - mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples]; + mSyncSamples = new (std::nothrow) uint32_t[numSyncSamples]; if (!mSyncSamples) { ALOGE("Cannot allocate sync sample table with %llu entries.", - (unsigned long long)mNumSyncSamples); + (unsigned long long)numSyncSamples); return ERROR_OUT_OF_RANGE; } - if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, + if (mDataSource->readAt(data_offset + 8, mSyncSamples, (size_t)allocSize) != (ssize_t)allocSize) { + delete mSyncSamples; + mSyncSamples = NULL; return ERROR_IO; } - for (size_t i = 0; i < mNumSyncSamples; ++i) { + for (size_t i = 0; i < numSyncSamples; ++i) { mSyncSamples[i] = ntohl(mSyncSamples[i]) - 1; } + mSyncSampleOffset = data_offset; + mNumSyncSamples = numSyncSamples; + return OK; } |