From 3df4facd824693020ec412cd4afcc8e469e31bb7 Mon Sep 17 00:00:00 2001
From: Dan Austin <danielaustin@google.com>
Date: Thu, 15 Oct 2015 13:06:41 -0700
Subject: Fix benign integer overflow conditions for VSYNC add and removal.

There are integer overflow conditions that could occur on
vsyncsForLastFrame in VideoFrameScheduler::schedule upon a VSYNC
add or removal. Additional checks have been put in place to
remove the overflowable conditions.

Bug: 24980200
Change-Id: I7dfc25ae1d2f3e3b3382e990adb3c56518c64e8d
---
 media/libstagefright/VideoFrameScheduler.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'media/libstagefright/VideoFrameScheduler.cpp')

diff --git a/media/libstagefright/VideoFrameScheduler.cpp b/media/libstagefright/VideoFrameScheduler.cpp
index 02b8783..c17faf3 100644
--- a/media/libstagefright/VideoFrameScheduler.cpp
+++ b/media/libstagefright/VideoFrameScheduler.cpp
@@ -459,14 +459,16 @@ nsecs_t VideoFrameScheduler::schedule(nsecs_t renderTime) {
                 mTimeCorrection -= mVsyncPeriod / 2;
                 renderTime -= mVsyncPeriod / 2;
                 nextVsyncTime -= mVsyncPeriod;
-                --vsyncsForLastFrame;
+                if (vsyncsForLastFrame > 0)
+                    --vsyncsForLastFrame;
             } else if (mTimeCorrection < -correctionLimit &&
                     (vsyncsPerFrameAreNearlyConstant || vsyncsForLastFrame == minVsyncsPerFrame)) {
                 // add a VSYNC
                 mTimeCorrection += mVsyncPeriod / 2;
                 renderTime += mVsyncPeriod / 2;
                 nextVsyncTime += mVsyncPeriod;
-                ++vsyncsForLastFrame;
+                if (vsyncsForLastFrame < ULONG_MAX)
+                    ++vsyncsForLastFrame;
             }
             ATRACE_INT("FRAME_VSYNCS", vsyncsForLastFrame);
         }
-- 
cgit v1.1