Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 014a9ed6 authored by Songyue Han's avatar Songyue Han
Browse files

Initialize mRowBytes and mSize with overflow check. 

Bug: b/233006499
Test: libstagefright_frameDecoder_fuzzer
Merged-In: Ia1d1b65164e142c6431aead18073c121a531994a
Change-Id: Ia1d1b65164e142c6431aead18073c121a531994a
parent 208cfff3

include/private/media/VideoFrame.h

+9 −3
Original line number Diff line number Diff line
@@ -42,9 +42,15 @@ public: 
        mWidth(width), mHeight(height),

        mDisplayWidth(displayWidth), mDisplayHeight(displayHeight),

        mTileWidth(tileWidth), mTileHeight(tileHeight), mDurationUs(0),

        mRotationAngle(angle), mBytesPerPixel(bpp), mRowBytes(bpp * width),

        mSize(hasData ? (bpp * width * height) : 0),

        mIccSize(iccSize), mBitDepth(bitDepth) {

        mRotationAngle(angle), mBytesPerPixel(bpp), mIccSize(iccSize),

        mBitDepth(bitDepth) {

            uint32_t multVal;

            mRowBytes = __builtin_mul_overflow(bpp, width, &multVal) ? 0 : multVal;

            mSize = __builtin_mul_overflow(multVal, height, &multVal) ? 0 : multVal;

            if (hasData && (mRowBytes == 0 || mSize == 0)) {

                ALOGE("Frame rowBytes/ size overflow %dx%d bpp %d", width, height, bpp);

                android_errorWriteLog(0x534e4554, "233006499");

            }

    }



    void init(const VideoFrame& copy, const void* iccData, size_t iccSize) {