diff options
| author | Wei Jia <wjia@google.com> | 2015-08-18 11:17:24 -0700 |
|---|---|---|
| committer | Wei Jia <wjia@google.com> | 2015-08-18 14:56:21 -0700 |
| commit | 3564c4562f46bede6ef1ea716c4fd4f77e470ae8 (patch) | |
| tree | 5933ef30cdfb5d33b75595dff94eeede5f7ed04f /media | |
| parent | 2c5fb0c7249ba7e5d79236c61a1c94a489041e65 (diff) | |
| download | frameworks_av-3564c4562f46bede6ef1ea716c4fd4f77e470ae8.zip frameworks_av-3564c4562f46bede6ef1ea716c4fd4f77e470ae8.tar.gz frameworks_av-3564c4562f46bede6ef1ea716c4fd4f77e470ae8.tar.bz2 | |
libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.
Bug: 23247055
Change-Id: I29ef59c7ff09248063714e5013f7c33f66c5eebd
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/SampleTable.cpp | 14 | ||||
| -rw-r--r-- | media/libstagefright/include/SampleTable.h | 5 |
2 files changed, 16 insertions, 3 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index aeef99f..97dff43 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -27,6 +27,11 @@ #include <media/stagefright/DataSource.h> #include <media/stagefright/Utils.h> +/* TODO: remove after being merged into other branches */ +#ifndef UINT32_MAX +#define UINT32_MAX (4294967295U) +#endif + namespace android { // static @@ -284,6 +289,9 @@ status_t SampleTable::setSampleSizeParams( mDefaultSampleSize = U32_AT(&header[4]); mNumSampleSizes = U32_AT(&header[8]); + if (mNumSampleSizes > (UINT32_MAX - 12) / 16) { + return ERROR_MALFORMED; + } if (type == kSampleSizeType32) { mSampleSizeFieldSize = 32; @@ -507,7 +515,7 @@ int SampleTable::CompareIncreasingTime(const void *_a, const void *_b) { void SampleTable::buildSampleEntriesTable() { Mutex::Autolock autoLock(mLock); - if (mSampleTimeEntries != NULL) { + if (mSampleTimeEntries != NULL || mNumSampleSizes == 0) { return; } @@ -552,6 +560,10 @@ status_t SampleTable::findSampleAtTime( uint32_t *sample_index, uint32_t flags) { buildSampleEntriesTable(); + if (mSampleTimeEntries == NULL) { + return ERROR_OUT_OF_RANGE; + } + uint32_t left = 0; uint32_t right_plus_one = mNumSampleSizes; while (left < right_plus_one) { diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h index d06df7b..460492b 100644 --- a/media/libstagefright/include/SampleTable.h +++ b/media/libstagefright/include/SampleTable.h @@ -142,8 +142,9 @@ private: // normally we don't round inline uint64_t getSampleTime( size_t sample_index, uint64_t scale_num, uint64_t scale_den) const { - return (mSampleTimeEntries[sample_index].mCompositionTime - * scale_num) / scale_den; + return (sample_index < (size_t)mNumSampleSizes && mSampleTimeEntries != NULL + && scale_den != 0) + ? (mSampleTimeEntries[sample_index].mCompositionTime * scale_num) / scale_den : 0; } status_t getSampleSize_l(uint32_t sample_index, size_t *sample_size); |