diff options
author | Wonsik Kim <wonsik@google.com> | 2016-07-21 14:43:38 +0900 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-08-16 15:51:50 -0700 |
commit | eb11f3a9e6638805c4473c3bf448584893bae519 (patch) | |
tree | 38557fb1ec2618d60e057be22fe6b52be65dcf94 /media | |
parent | 2bef075f91e203e96130c88320b7d13eddc17d89 (diff) | |
download | frameworks_av-eb11f3a9e6638805c4473c3bf448584893bae519.zip frameworks_av-eb11f3a9e6638805c4473c3bf448584893bae519.tar.gz frameworks_av-eb11f3a9e6638805c4473c3bf448584893bae519.tar.bz2 |
DO NOT MERGE - stagefright: fix integer overflow error
Bug: 30103394
Change-Id: If449d3e30a0bf2ebea5317f41813bfed094f7408
(cherry picked from commit 2c74a3cd5d1d66b9a35424b9c4443dafa6db5bef)
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index bc01a2d..72e30f1 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -18,6 +18,8 @@ //#define LOG_NDEBUG 0 #include <utils/Log.h> +#include <limits> + #include "include/SampleTable.h" #include "include/SampleIterator.h" @@ -27,11 +29,6 @@ #include <media/stagefright/DataSource.h> #include <media/stagefright/Utils.h> -/* TODO: remove after being merged into other branches */ -#ifndef UINT32_MAX -#define UINT32_MAX (4294967295U) -#endif - namespace android { // static @@ -45,6 +42,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2'); //////////////////////////////////////////////////////////////////////////////// +const off64_t kMaxOffset = std::numeric_limits<off64_t>::max(); + struct SampleTable::CompositionDeltaLookup { CompositionDeltaLookup(); @@ -233,11 +232,11 @@ status_t SampleTable::setSampleToChunkParams( mNumSampleToChunkOffsets = U32_AT(&header[4]); - if (data_size < 8 + mNumSampleToChunkOffsets * 12) { + if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) { return ERROR_MALFORMED; } - if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= + if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <= (uint64_t)mNumSampleToChunkOffsets) { ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; @@ -269,16 +268,19 @@ status_t SampleTable::setSampleToChunkParams( return OK; } - if ((off64_t)(SIZE_MAX - 8 - + if ((off64_t)(kMaxOffset - 8 - ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) < mSampleToChunkOffset) { return ERROR_MALFORMED; } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { - uint8_t buffer[12]; + uint8_t buffer[sizeof(SampleToChunkEntry)]; + if (mDataSource->readAt( - mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer)) + mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry), + buffer, + sizeof(buffer)) != (ssize_t)sizeof(buffer)) { return ERROR_IO; } @@ -378,8 +380,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - if ((uint64_t)mTimeToSampleCount > - (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { + if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. @@ -455,7 +456,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t); - if (allocSize > SIZE_MAX) { + if (allocSize > kMaxTotalSize) { ALOGE("Composition-time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } @@ -522,7 +523,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); - if (allocSize > SIZE_MAX) { + if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; } |