summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-04-08 23:31:25 -0500
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:01 +0200
commit16ffb57cee83d15382286570fe96c375a5dbb30e (patch)
treebb86e609749ec510b57a9617a03651a05e8268db
parent006d9021fc6c7ed492eda25d5e9ac1fb0b11a17b (diff)
downloadframeworks_av-16ffb57cee83d15382286570fe96c375a5dbb30e.zip
frameworks_av-16ffb57cee83d15382286570fe96c375a5dbb30e.tar.gz
frameworks_av-16ffb57cee83d15382286570fe96c375a5dbb30e.tar.bz2
Detect allocation failures and bail gracefully
During the processing of several sample table related MP4 atoms, allocation sizes could be large enough cause a std::bad_alloc exception to be raised. This typically causes a crash (denial of service condition). Use std::nothrow to catch allocation failures and return gracefully. Bug: 20139950 Change-Id: Id70546c9a9d7a1af58ccbf732b000246bc6bb22e Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
-rw-r--r--media/libstagefright/SampleTable.cpp21
1 files changed, 16 insertions, 5 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 3df0d7e..023ab72 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -231,7 +231,9 @@ status_t SampleTable::setSampleToChunkParams(
}
mSampleToChunkEntries =
- new SampleToChunkEntry[mNumSampleToChunkOffsets];
+ new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets];
+ if (!mSampleToChunkEntries)
+ return ERROR_OUT_OF_RANGE;
for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {
uint8_t buffer[12];
@@ -334,7 +336,9 @@ status_t SampleTable::setTimeToSampleParams(
if (allocSize > SIZE_MAX) {
return ERROR_OUT_OF_RANGE;
}
- mTimeToSample = new uint32_t[mTimeToSampleCount * 2];
+ mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2];
+ if (!mTimeToSample)
+ return ERROR_OUT_OF_RANGE;
size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;
if (mDataSource->readAt(
@@ -381,7 +385,9 @@ status_t SampleTable::setCompositionTimeToSampleParams(
if (allocSize > SIZE_MAX) {
return ERROR_OUT_OF_RANGE;
}
- mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries];
+ mCompositionTimeDeltaEntries = new (std::nothrow) uint32_t[2 * numEntries];
+ if (!mCompositionTimeDeltaEntries)
+ return ERROR_OUT_OF_RANGE;
if (mDataSource->readAt(
data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8)
@@ -431,7 +437,10 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
return ERROR_OUT_OF_RANGE;
}
- mSyncSamples = new uint32_t[mNumSyncSamples];
+ mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples];
+ if (!mSyncSamples)
+ return ERROR_OUT_OF_RANGE;
+
size_t size = mNumSyncSamples * sizeof(uint32_t);
if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)
!= (ssize_t)size) {
@@ -499,7 +508,9 @@ void SampleTable::buildSampleEntriesTable() {
return;
}
- mSampleTimeEntries = new SampleTimeEntry[mNumSampleSizes];
+ mSampleTimeEntries = new (std::nothrow) SampleTimeEntry[mNumSampleSizes];
+ if (!mSampleTimeEntries)
+ return;
uint32_t sampleIndex = 0;
uint32_t sampleTime = 0;