From b82353b46bcac8239132cfd624c62aa84caab8be Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Fri, 16 Oct 2015 21:22:14 -0700
Subject: Move overflow checks into SkipCutBuffer

Previously SkipCutBuffer would check its input parameters to ensure
they were sane, however since bogus values might be the result of
overflows, and overflow protection was recently turned on for
libstagefright, the compiler's overflow checks were performed before
SkipCutBuffer's, resulting in abort rather than just ignoring the
bogus values.
Moving the multiplication by framesize into SkipCutBuffer fixes this.

Change-Id: I1ad6744bb045a5212701bbf6ee44eecb5f318210
---
 media/libstagefright/SkipCutBuffer.cpp | 39 ++++++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 9 deletions(-)

(limited to 'media/libstagefright/SkipCutBuffer.cpp')

diff --git a/media/libstagefright/SkipCutBuffer.cpp b/media/libstagefright/SkipCutBuffer.cpp
index 1da1e5e..d30be88 100644
--- a/media/libstagefright/SkipCutBuffer.cpp
+++ b/media/libstagefright/SkipCutBuffer.cpp
@@ -24,21 +24,32 @@
 
 namespace android {
 
-SkipCutBuffer::SkipCutBuffer(int32_t skip, int32_t cut) {
+SkipCutBuffer::SkipCutBuffer(size_t skip, size_t cut, size_t num16BitChannels) {
 
-    if (skip < 0 || cut < 0 || cut > 64 * 1024) {
-        ALOGW("out of range skip/cut: %d/%d, using passthrough instead", skip, cut);
-        skip = 0;
-        cut = 0;
+    mWriteHead = 0;
+    mReadHead = 0;
+    mCapacity = 0;
+    mCutBuffer = NULL;
+
+    if (num16BitChannels == 0 || num16BitChannels > INT32_MAX / 2) {
+        ALOGW("# channels out of range: %zu, using passthrough instead", num16BitChannels);
+        return;
     }
+    size_t frameSize = num16BitChannels * 2;
+    if (skip > INT32_MAX / frameSize || cut > INT32_MAX / frameSize
+            || cut * frameSize > INT32_MAX - 4096) {
+        ALOGW("out of range skip/cut: %zu/%zu, using passthrough instead",
+                skip, cut);
+        return;
+    }
+    skip *= frameSize;
+    cut *= frameSize;
 
     mFrontPadding = mSkip = skip;
     mBackPadding = cut;
-    mWriteHead = 0;
-    mReadHead = 0;
     mCapacity = cut + 4096;
-    mCutBuffer = new char[mCapacity];
-    ALOGV("skipcutbuffer %d %d %d", skip, cut, mCapacity);
+    mCutBuffer = new (std::nothrow) char[mCapacity];
+    ALOGV("skipcutbuffer %zu %zu %d", skip, cut, mCapacity);
 }
 
 SkipCutBuffer::~SkipCutBuffer() {
@@ -46,6 +57,11 @@ SkipCutBuffer::~SkipCutBuffer() {
 }
 
 void SkipCutBuffer::submit(MediaBuffer *buffer) {
+    if (mCutBuffer == NULL) {
+        // passthrough mode
+        return;
+    }
+
     int32_t offset = buffer->range_offset();
     int32_t buflen = buffer->range_length();
 
@@ -73,6 +89,11 @@ void SkipCutBuffer::submit(MediaBuffer *buffer) {
 }
 
 void SkipCutBuffer::submit(const sp<ABuffer>& buffer) {
+    if (mCutBuffer == NULL) {
+        // passthrough mode
+        return;
+    }
+
     int32_t offset = buffer->offset();
     int32_t buflen = buffer->size();
 
-- 
cgit v1.1