Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
SampleTable: check integer overflow during table alloc
Bug: 15328708
Bug: 15342615
Bug: 15342751
Change-Id: I6bb110a1eba46506799c73be8ff9a4f71c7e7053
  • Loading branch information
rjsh committed Jul 28, 2014
1 parent ec3c71e commit edd4a76
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions media/libstagefright/SampleTable.cpp
Expand Up @@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams(
}

mTimeToSampleCount = U32_AT(&header[4]);
uint64_t allocSize = mTimeToSampleCount * 2 * sizeof(uint32_t);
if (allocSize > SIZE_MAX) {
return ERROR_OUT_OF_RANGE;
}
mTimeToSample = new uint32_t[mTimeToSampleCount * 2];

size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;
Expand Down Expand Up @@ -372,6 +376,11 @@ status_t SampleTable::setCompositionTimeToSampleParams(
}

mNumCompositionTimeDeltaEntries = numEntries;
uint64_t allocSize = numEntries * 2 * sizeof(uint32_t);
if (allocSize > SIZE_MAX) {
return ERROR_OUT_OF_RANGE;
}

mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries];

if (mDataSource->readAt(
Expand Down Expand Up @@ -417,6 +426,11 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
ALOGV("Table of sync samples is empty or has only a single entry!");
}

uint64_t allocSize = mNumSyncSamples * sizeof(uint32_t);
if (allocSize > SIZE_MAX) {
return ERROR_OUT_OF_RANGE;
}

mSyncSamples = new uint32_t[mNumSyncSamples];
size_t size = mNumSyncSamples * sizeof(uint32_t);
if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)
Expand Down

0 comments on commit edd4a76

Please sign in to comment.