From f106b1993143df44282777253244ce67974c9d4a Mon Sep 17 00:00:00 2001
From: Robert Shih <robertshih@google.com>
Date: Mon, 28 Jul 2014 09:54:57 -0700
Subject: SampleTable: check integer overflow during table alloc

Bug: 15328708
Bug: 15342615
Bug: 15342751
Change-Id: I6bb110a1eba46506799c73be8ff9a4f71c7e7053
(cherry picked from commit edd4a76eb4747bd19ed122df46fa46b452c12a0d)
---
 media/libstagefright/SampleTable.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'media')

diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index d9858d7..8dfa365 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams(
     }
 
     mTimeToSampleCount = U32_AT(&header[4]);
+    uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t);
+    if (allocSize > SIZE_MAX) {
+        return ERROR_OUT_OF_RANGE;
+    }
     mTimeToSample = new uint32_t[mTimeToSampleCount * 2];
 
     size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;
@@ -372,6 +376,11 @@ status_t SampleTable::setCompositionTimeToSampleParams(
     }
 
     mNumCompositionTimeDeltaEntries = numEntries;
+    uint64_t allocSize = numEntries * 2 * sizeof(uint32_t);
+    if (allocSize > SIZE_MAX) {
+        return ERROR_OUT_OF_RANGE;
+    }
+
     mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries];
 
     if (mDataSource->readAt(
@@ -417,6 +426,11 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
         ALOGV("Table of sync samples is empty or has only a single entry!");
     }
 
+    uint64_t allocSize = mNumSyncSamples * sizeof(uint32_t);
+    if (allocSize > SIZE_MAX) {
+        return ERROR_OUT_OF_RANGE;
+    }
+
     mSyncSamples = new uint32_t[mNumSyncSamples];
     size_t size = mNumSyncSamples * sizeof(uint32_t);
     if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)
-- 
cgit v1.1