Skip to content
Permalink
Browse files

DO NOT MERGE - stagefright: fix integer overflow error

Bug: 30103394
Change-Id: If449d3e30a0bf2ebea5317f41813bfed094f7408
(cherry picked from commit 2c74a3c)
  • Loading branch information...
Wonsik Kim authored and andi34 committed Jul 21, 2016
1 parent 47301ba commit 26d423c5766b6412a8f2293d663170acf539db36
Showing with 16 additions and 14 deletions.
  1. +16 −14 media/libstagefright/SampleTable.cpp
@@ -14,6 +14,9 @@
* limitations under the License.
*/

#define __STDINT_MACROS
#define __STDINT_LIMITS

#define LOG_TAG "SampleTable"
//#define LOG_NDEBUG 0
#include <utils/Log.h>
@@ -27,11 +30,6 @@
#include <media/stagefright/DataSource.h>
#include <media/stagefright/Utils.h>

/* TODO: remove after being merged into other branches */
#ifndef UINT32_MAX
#define UINT32_MAX (4294967295U)
#endif

namespace android {

// static
@@ -45,6 +43,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2');

////////////////////////////////////////////////////////////////////////////////

const off64_t kMaxOffset = INT64_MAX;

struct SampleTable::CompositionDeltaLookup {
CompositionDeltaLookup();

@@ -233,11 +233,11 @@ status_t SampleTable::setSampleToChunkParams(

mNumSampleToChunkOffsets = U32_AT(&header[4]);

if (data_size < 8 + mNumSampleToChunkOffsets * 12) {
if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) {
return ERROR_MALFORMED;
}

if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <=
if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <=
(uint64_t)mNumSampleToChunkOffsets) {
ALOGE("Sample-to-chunk table size too large.");
return ERROR_OUT_OF_RANGE;
@@ -269,16 +269,19 @@ status_t SampleTable::setSampleToChunkParams(
return OK;
}

if ((off64_t)(SIZE_MAX - 8 -
if ((off64_t)(kMaxOffset - 8 -
((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry)))
< mSampleToChunkOffset) {
return ERROR_MALFORMED;
}

for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {
uint8_t buffer[12];
uint8_t buffer[sizeof(SampleToChunkEntry)];

if (mDataSource->readAt(
mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer))
mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry),
buffer,
sizeof(buffer))
!= (ssize_t)sizeof(buffer)) {
return ERROR_IO;
}
@@ -378,8 +381,7 @@ status_t SampleTable::setTimeToSampleParams(
}

mTimeToSampleCount = U32_AT(&header[4]);
if ((uint64_t)mTimeToSampleCount >
(uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) {
if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) {
// Choose this bound because
// 1) 2 * sizeof(uint32_t) is the amount of memory needed for one
// time-to-sample entry in the time-to-sample table.
@@ -455,7 +457,7 @@ status_t SampleTable::setCompositionTimeToSampleParams(

mNumCompositionTimeDeltaEntries = numEntries;
uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(uint32_t);
if (allocSize > SIZE_MAX) {
if (allocSize > kMaxTotalSize) {
ALOGE("Composition-time-to-sample table size too large.");
return ERROR_OUT_OF_RANGE;
}
@@ -522,7 +524,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
}

uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t);
if (allocSize > SIZE_MAX) {
if (allocSize > kMaxTotalSize) {
ALOGE("Sync sample table size too large.");
return ERROR_OUT_OF_RANGE;
}

0 comments on commit 26d423c

Please sign in to comment.
You can’t perform that action at this time.