Loading media/extractors/mp4/MPEG4Extractor.cpp +37 −3 Original line number Diff line number Diff line Loading @@ -5011,8 +5011,11 @@ status_t MPEG4Source::parseChunk(off64_t *offset) { } status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( off64_t offset, off64_t /* size */) { off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationSizes"); if (size < 9) { return -EINVAL; } // 14496-12 8.7.12 uint8_t version; if (mDataSource->readAt( Loading @@ -5025,25 +5028,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( return ERROR_UNSUPPORTED; } offset++; size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; size -= 3; if (flags & 1) { if (size < 13) { return -EINVAL; } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoType = tmp; offset += 4; size -= 4; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoTypeParameter = tmp; offset += 4; size -= 4; } uint8_t defsize; Loading @@ -5052,6 +5062,7 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentDefaultSampleInfoSize = defsize; offset++; size--; uint32_t smplcnt; if (!mDataSource->getUInt32(offset, &smplcnt)) { Loading @@ -5059,11 +5070,16 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentSampleInfoCount = smplcnt; offset += 4; size -= 4; if (mCurrentDefaultSampleInfoSize != 0) { ALOGV("@@@@ using default sample info size of %d", mCurrentDefaultSampleInfoSize); return OK; } if(smplcnt > size) { ALOGW("b/124525515 - smplcnt(%u) > size(%ld)", (unsigned int)smplcnt, (unsigned long)size); android_errorWriteLog(0x534e4554, "124525515"); return -EINVAL; } if (smplcnt > mCurrentSampleInfoAllocSize) { uint8_t * newPtr = (uint8_t*) realloc(mCurrentSampleInfoSizes, smplcnt); if (newPtr == NULL) { Loading @@ -5079,26 +5095,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( off64_t offset, off64_t /* size */) { off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationOffsets"); if (size < 8) { return -EINVAL; } // 14496-12 8.7.13 uint8_t version; if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) { return ERROR_IO; } offset++; size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; size -= 3; uint32_t entrycount; if (!mDataSource->getUInt32(offset, &entrycount)) { return ERROR_IO; } offset += 4; size -= 4; if (entrycount == 0) { return OK; } Loading @@ -5124,19 +5146,31 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( for (size_t i = 0; i < entrycount; i++) { if (version == 0) { if (size < 4) { ALOGW("b/124526959"); android_errorWriteLog(0x534e4554, "124526959"); return -EINVAL; } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 4; size -= 4; } else { if (size < 8) { ALOGW("b/124526959"); android_errorWriteLog(0x534e4554, "124526959"); return -EINVAL; } uint64_t tmp; if (!mDataSource->getUInt64(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 8; size -= 8; } } Loading media/extractors/mp4/SampleTable.cpp +7 −10 Original line number Diff line number Diff line Loading @@ -391,20 +391,11 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. // 2) mTimeToSampleCount is the number of entries of the time-to-sample // table. // 3) We hope that the table size does not exceed UINT32_MAX. if (mTimeToSampleCount > (data_size - 8) / (2 * sizeof(uint32_t))) { ALOGE("Time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } // Note: At this point, we know that mTimeToSampleCount * 2 will not // overflow because of the above condition. uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); mTotalSize += allocSize; if (mTotalSize > kMaxTotalSize) { Loading Loading @@ -540,6 +531,12 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); if (allocSize > data_size - 8) { ALOGW("b/124771364 - allocSize(%lu) > size(%lu)", (unsigned long)allocSize, (unsigned long)(data_size - 8)); android_errorWriteLog(0x534e4554, "124771364"); return ERROR_MALFORMED; } if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; Loading Loading
media/extractors/mp4/MPEG4Extractor.cpp +37 −3 Original line number Diff line number Diff line Loading @@ -5011,8 +5011,11 @@ status_t MPEG4Source::parseChunk(off64_t *offset) { } status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( off64_t offset, off64_t /* size */) { off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationSizes"); if (size < 9) { return -EINVAL; } // 14496-12 8.7.12 uint8_t version; if (mDataSource->readAt( Loading @@ -5025,25 +5028,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( return ERROR_UNSUPPORTED; } offset++; size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; size -= 3; if (flags & 1) { if (size < 13) { return -EINVAL; } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoType = tmp; offset += 4; size -= 4; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_MALFORMED; } mCurrentAuxInfoTypeParameter = tmp; offset += 4; size -= 4; } uint8_t defsize; Loading @@ -5052,6 +5062,7 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentDefaultSampleInfoSize = defsize; offset++; size--; uint32_t smplcnt; if (!mDataSource->getUInt32(offset, &smplcnt)) { Loading @@ -5059,11 +5070,16 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } mCurrentSampleInfoCount = smplcnt; offset += 4; size -= 4; if (mCurrentDefaultSampleInfoSize != 0) { ALOGV("@@@@ using default sample info size of %d", mCurrentDefaultSampleInfoSize); return OK; } if(smplcnt > size) { ALOGW("b/124525515 - smplcnt(%u) > size(%ld)", (unsigned int)smplcnt, (unsigned long)size); android_errorWriteLog(0x534e4554, "124525515"); return -EINVAL; } if (smplcnt > mCurrentSampleInfoAllocSize) { uint8_t * newPtr = (uint8_t*) realloc(mCurrentSampleInfoSizes, smplcnt); if (newPtr == NULL) { Loading @@ -5079,26 +5095,32 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationSizes( } status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( off64_t offset, off64_t /* size */) { off64_t offset, off64_t size) { ALOGV("parseSampleAuxiliaryInformationOffsets"); if (size < 8) { return -EINVAL; } // 14496-12 8.7.13 uint8_t version; if (mDataSource->readAt(offset, &version, sizeof(version)) != 1) { return ERROR_IO; } offset++; size--; uint32_t flags; if (!mDataSource->getUInt24(offset, &flags)) { return ERROR_IO; } offset += 3; size -= 3; uint32_t entrycount; if (!mDataSource->getUInt32(offset, &entrycount)) { return ERROR_IO; } offset += 4; size -= 4; if (entrycount == 0) { return OK; } Loading @@ -5124,19 +5146,31 @@ status_t MPEG4Source::parseSampleAuxiliaryInformationOffsets( for (size_t i = 0; i < entrycount; i++) { if (version == 0) { if (size < 4) { ALOGW("b/124526959"); android_errorWriteLog(0x534e4554, "124526959"); return -EINVAL; } uint32_t tmp; if (!mDataSource->getUInt32(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 4; size -= 4; } else { if (size < 8) { ALOGW("b/124526959"); android_errorWriteLog(0x534e4554, "124526959"); return -EINVAL; } uint64_t tmp; if (!mDataSource->getUInt64(offset, &tmp)) { return ERROR_IO; } mCurrentSampleInfoOffsets[i] = tmp; offset += 8; size -= 8; } } Loading
media/extractors/mp4/SampleTable.cpp +7 −10 Original line number Diff line number Diff line Loading @@ -391,20 +391,11 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. // 2) mTimeToSampleCount is the number of entries of the time-to-sample // table. // 3) We hope that the table size does not exceed UINT32_MAX. if (mTimeToSampleCount > (data_size - 8) / (2 * sizeof(uint32_t))) { ALOGE("Time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } // Note: At this point, we know that mTimeToSampleCount * 2 will not // overflow because of the above condition. uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); mTotalSize += allocSize; if (mTotalSize > kMaxTotalSize) { Loading Loading @@ -540,6 +531,12 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)numSyncSamples * sizeof(uint32_t); if (allocSize > data_size - 8) { ALOGW("b/124771364 - allocSize(%lu) > size(%lu)", (unsigned long)allocSize, (unsigned long)(data_size - 8)); android_errorWriteLog(0x534e4554, "124771364"); return ERROR_MALFORMED; } if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; Loading
