From 2b6f22dc64d456471a1dc6df09d515771d1427c8 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Fri, 8 Apr 2016 10:04:48 -0700
Subject: h264dec: check for overflows when calculating allocation size.

Bug: 27855419
Change-Id: Idabedca52913ec31ea5cb6a6109ab94e3fb2badd
---
 .../codecs/on2/h264dec/source/EvaluationTestBench.c              | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c')

diff --git a/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c b/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c
index aadc75f..e756a1f 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/EvaluationTestBench.c
@@ -85,7 +85,7 @@ int main(int argc, char **argv)
     rewind(finput);
 
     /* allocate memory for stream buffer, exit if unsuccessful */
-    byteStrm = byteStrmStart = (u8 *)H264SwDecMalloc(sizeof(u8)*strmLen);
+    byteStrm = byteStrmStart = (u8 *)H264SwDecMalloc(sizeof(u8), strmLen);
     if (byteStrm == NULL)
     {
         printf("UNABLE TO ALLOCATE MEMORY\n");
@@ -298,9 +298,12 @@ void H264SwDecTrace(char *string)
         library function malloc for allocation of memory.
 
 ------------------------------------------------------------------------------*/
-void* H264SwDecMalloc(u32 size)
+void* H264SwDecMalloc(u32 size, u32 num)
 {
-    return malloc(size);
+    if (size > UINT32_MAX / num) {
+        return NULL;
+    }
+    return malloc(size * num);
 }
 
 /*------------------------------------------------------------------------------
-- 
cgit v1.1