From de04a021142f832a859a83b7826aed391a8f1961 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Mon, 24 Aug 2015 16:37:57 -0700
Subject: Fix benign unsigned overflow in OggExtractor

When computing mCurrentPageSamples it was possible to have a harmless
unsigned integer overflow during the conf pages leading to false
positives with fsanitize integer. To prevent the false positives clamp
the result to 0.

Bug: 23488745
Bug: 23110888
Change-Id: I0769cb4a915d45b00ea43f2abbefe9ee46165cc7
---
 media/libstagefright/OggExtractor.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'media/libstagefright/OggExtractor.cpp')

diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 5c81f1a..d63ac96 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -774,8 +774,13 @@ status_t MyOggExtractor::_readNextPacket(MediaBuffer **out, bool calcVorbisTimes
             return n < 0 ? n : (status_t)ERROR_END_OF_STREAM;
         }
 
-        mCurrentPageSamples =
-            mCurrentPage.mGranulePosition - mPrevGranulePosition;
+        // Prevent a harmless unsigned integer overflow by clamping to 0
+        if (mCurrentPage.mGranulePosition >= mPrevGranulePosition) {
+            mCurrentPageSamples =
+                    mCurrentPage.mGranulePosition - mPrevGranulePosition;
+        } else {
+            mCurrentPageSamples = 0;
+        }
         mFirstPacketInPage = true;
 
         mPrevGranulePosition = mCurrentPage.mGranulePosition;
-- 
cgit v1.1