summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-04-08 23:23:55 -0500
committerPaul Kocialkowski <contact@paulk.fr>2015-08-31 00:22:01 +0200
commit006d9021fc6c7ed492eda25d5e9ac1fb0b11a17b (patch)
treecfe6cbc101a9b9386e661606f88aed681fd18263 /media
parent353b4e92b3494589f13d5632b3e5c333bdacd730 (diff)
downloadframeworks_av-006d9021fc6c7ed492eda25d5e9ac1fb0b11a17b.zip
frameworks_av-006d9021fc6c7ed492eda25d5e9ac1fb0b11a17b.tar.gz
frameworks_av-006d9021fc6c7ed492eda25d5e9ac1fb0b11a17b.tar.bz2
Fix several ineffective integer overflow checks
Commit edd4a76 (which addressed bugs 15328708, 15342615, 15342751) added several integer overflow checks. Unfortunately, those checks fail to take into account integer promotion rules and are thus themselves subject to an integer overflow. Cast the sizeof() operator to a uint64_t to force promotion while multiplying. Bug: 20139950 Change-Id: I2e70584ab566dbaa2fba4df6ca7a89b348ae9a06 Signed-off-by: Joshua J. Drake <android-open-source@qoop.org> Tested-by: Moritz Bandemer <replicant@posteo.mx>
Diffstat (limited to 'media')
-rw-r--r--media/libstagefright/SampleTable.cpp13
1 files changed, 13 insertions, 0 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index 4a42a70..3df0d7e 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -330,6 +330,10 @@ status_t SampleTable::setTimeToSampleParams(
}
mTimeToSampleCount = U32_AT(&header[4]);
+ uint64_t allocSize = mTimeToSampleCount * 2 * (uint64_t)sizeof(uint32_t);
+ if (allocSize > SIZE_MAX) {
+ return ERROR_OUT_OF_RANGE;
+ }
mTimeToSample = new uint32_t[mTimeToSampleCount * 2];
size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;
@@ -373,6 +377,10 @@ status_t SampleTable::setCompositionTimeToSampleParams(
}
mNumCompositionTimeDeltaEntries = numEntries;
+ uint64_t allocSize = numEntries * 2 * (uint64_t)sizeof(uint32_t);
+ if (allocSize > SIZE_MAX) {
+ return ERROR_OUT_OF_RANGE;
+ }
mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries];
if (mDataSource->readAt(
@@ -418,6 +426,11 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
ALOGV("Table of sync samples is empty or has only a single entry!");
}
+ uint64_t allocSize = mNumSyncSamples * (uint64_t)sizeof(uint32_t);
+ if (allocSize > SIZE_MAX) {
+ return ERROR_OUT_OF_RANGE;
+ }
+
mSyncSamples = new uint32_t[mNumSyncSamples];
size_t size = mNumSyncSamples * sizeof(uint32_t);
if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)