summaryrefslogtreecommitdiffstats
path: root/media/libstagefright/SampleTable.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'media/libstagefright/SampleTable.cpp')
-rw-r--r--media/libstagefright/SampleTable.cpp15
1 files changed, 12 insertions, 3 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 72e30f1..8a38c24 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -195,11 +195,11 @@ status_t SampleTable::setChunkOffsetParams(
mNumChunkOffsets = U32_AT(&header[4]);
if (mChunkOffsetType == kChunkOffsetType32) {
- if (data_size < 8 + mNumChunkOffsets * 4) {
+ if ((data_size - 8) / 4 < mNumChunkOffsets) {
return ERROR_MALFORMED;
}
} else {
- if (data_size < 8 + mNumChunkOffsets * 8) {
+ if ((data_size - 8) / 8 < mNumChunkOffsets) {
return ERROR_MALFORMED;
}
}
@@ -210,6 +210,11 @@ status_t SampleTable::setChunkOffsetParams(
status_t SampleTable::setSampleToChunkParams(
off64_t data_offset, size_t data_size) {
if (mSampleToChunkOffset >= 0) {
+ // already set
+ return ERROR_MALFORMED;
+ }
+
+ if (data_offset < 0) {
return ERROR_MALFORMED;
}
@@ -277,6 +282,10 @@ status_t SampleTable::setSampleToChunkParams(
for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {
uint8_t buffer[sizeof(SampleToChunkEntry)];
+ if ((SIZE_MAX - 8 - (i * 12)) < (size_t)mSampleToChunkOffset) {
+ return ERROR_MALFORMED;
+ }
+
if (mDataSource->readAt(
mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry),
buffer,
@@ -450,7 +459,7 @@ status_t SampleTable::setCompositionTimeToSampleParams(
size_t numEntries = U32_AT(&header[4]);
- if (data_size != (numEntries + 1) * 8) {
+ if (((SIZE_MAX / 8) - 1 < numEntries) || (data_size != (numEntries + 1) * 8)) {
return ERROR_MALFORMED;
}
generated by cgit v1.1 at 2024-05-07 13:44:07 +0000