diff options
author | Joshua J. Drake <android-open-source@qoop.org> | 2015-04-08 23:31:25 -0500 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2015-08-31 00:22:01 +0200 |
commit | 16ffb57cee83d15382286570fe96c375a5dbb30e (patch) | |
tree | bb86e609749ec510b57a9617a03651a05e8268db /media | |
parent | 006d9021fc6c7ed492eda25d5e9ac1fb0b11a17b (diff) | |
download | frameworks_av-16ffb57cee83d15382286570fe96c375a5dbb30e.zip frameworks_av-16ffb57cee83d15382286570fe96c375a5dbb30e.tar.gz frameworks_av-16ffb57cee83d15382286570fe96c375a5dbb30e.tar.bz2 |
Detect allocation failures and bail gracefully
During the processing of several sample table related MP4 atoms, allocation
sizes could be large enough cause a std::bad_alloc exception to be raised. This
typically causes a crash (denial of service condition). Use std::nothrow to
catch allocation failures and return gracefully.
Bug: 20139950
Change-Id: Id70546c9a9d7a1af58ccbf732b000246bc6bb22e
Signed-off-by: Joshua J. Drake <android-open-source@qoop.org>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/SampleTable.cpp | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp index 3df0d7e..023ab72 100644 --- a/media/libstagefright/SampleTable.cpp +++ b/media/libstagefright/SampleTable.cpp @@ -231,7 +231,9 @@ status_t SampleTable::setSampleToChunkParams( } mSampleToChunkEntries = - new SampleToChunkEntry[mNumSampleToChunkOffsets]; + new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets]; + if (!mSampleToChunkEntries) + return ERROR_OUT_OF_RANGE; for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; @@ -334,7 +336,9 @@ status_t SampleTable::setTimeToSampleParams( if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } - mTimeToSample = new uint32_t[mTimeToSampleCount * 2]; + mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2]; + if (!mTimeToSample) + return ERROR_OUT_OF_RANGE; size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2; if (mDataSource->readAt( @@ -381,7 +385,9 @@ status_t SampleTable::setCompositionTimeToSampleParams( if (allocSize > SIZE_MAX) { return ERROR_OUT_OF_RANGE; } - mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries]; + mCompositionTimeDeltaEntries = new (std::nothrow) uint32_t[2 * numEntries]; + if (!mCompositionTimeDeltaEntries) + return ERROR_OUT_OF_RANGE; if (mDataSource->readAt( data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8) @@ -431,7 +437,10 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) return ERROR_OUT_OF_RANGE; } - mSyncSamples = new uint32_t[mNumSyncSamples]; + mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples]; + if (!mSyncSamples) + return ERROR_OUT_OF_RANGE; + size_t size = mNumSyncSamples * sizeof(uint32_t); if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size) != (ssize_t)size) { @@ -499,7 +508,9 @@ void SampleTable::buildSampleEntriesTable() { return; } - mSampleTimeEntries = new SampleTimeEntry[mNumSampleSizes]; + mSampleTimeEntries = new (std::nothrow) SampleTimeEntry[mNumSampleSizes]; + if (!mSampleTimeEntries) + return; uint32_t sampleIndex = 0; uint32_t sampleTime = 0; |