From 2b6f22dc64d456471a1dc6df09d515771d1427c8 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Fri, 8 Apr 2016 10:04:48 -0700
Subject: h264dec: check for overflows when calculating allocation size.

Bug: 27855419
Change-Id: Idabedca52913ec31ea5cb6a6109ab94e3fb2badd
---
 .../libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c')

diff --git a/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c b/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c
index a073dcb..f820dfd 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/H264SwDecApi.c
@@ -35,6 +35,8 @@
 /*------------------------------------------------------------------------------
     1. Include headers
 ------------------------------------------------------------------------------*/
+#include <log/log.h>
+
 #include <stdlib.h>
 #include <string.h>
 #include "basetype.h"
@@ -79,8 +81,13 @@ void H264SwDecTrace(char *string) {
     UNUSED(string);
 }
 
-void* H264SwDecMalloc(u32 size) {
-    return malloc(size);
+void* H264SwDecMalloc(u32 size, u32 num) {
+    if (size > UINT32_MAX / num) {
+        ALOGE("can't allocate %u * %u bytes", size, num);
+        android_errorWriteLog(0x534e4554, "27855419");
+        return NULL;
+    }
+    return malloc(size * num);
 }
 
 void H264SwDecFree(void *ptr) {
@@ -144,7 +151,7 @@ H264SwDecRet H264SwDecInit(H264SwDecInst *decInst, u32 noOutputReordering)
         return(H264SWDEC_PARAM_ERR);
     }
 
-    pDecCont = (decContainer_t *)H264SwDecMalloc(sizeof(decContainer_t));
+    pDecCont = (decContainer_t *)H264SwDecMalloc(sizeof(decContainer_t), 1);
 
     if (pDecCont == NULL)
     {
-- 
cgit v1.1