diff options
Diffstat (limited to 'media/libstagefright')
-rw-r--r-- | media/libstagefright/ESDS.cpp | 6 | ||||
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 9 |
2 files changed, 12 insertions, 3 deletions
diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp index 427bf7b..8fbb57c 100644 --- a/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/ESDS.cpp @@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { --size; if (streamDependenceFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; } @@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; + if (URLlength >= size) + return ERROR_MALFORMED; offset += URLlength + 1; size -= URLlength + 1; } if (OCRstreamFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index bdd6d56..6030236 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -230,6 +230,9 @@ status_t SampleTable::setSampleToChunkParams( return ERROR_MALFORMED; } + if (SIZE_MAX / sizeof(SampleToChunkEntry) <= mNumSampleToChunkOffsets) + return ERROR_OUT_OF_RANGE; + mSampleToChunkEntries = new SampleToChunkEntry[mNumSampleToChunkOffsets]; @@ -330,7 +333,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t); + uint64_t allocSize = mTimeToSampleCount * 2 * (uint64_t)sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } @@ -376,7 +379,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( } mNumCompositionTimeDeltaEntries = numEntries; - uint64_t allocSize = numEntries * 2 * sizeof(uint32_t); + uint64_t allocSize = numEntries * 2 * (uint64_t)sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } @@ -426,7 +429,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) ALOGV("Table of sync samples is empty or has only a single entry!"); } - uint64_t allocSize = mNumSyncSamples * sizeof(uint32_t); + uint64_t allocSize = mNumSyncSamples * (uint64_t)sizeof(uint32_t); if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } |