Loading media/libstagefright/MetaData.cpp +6 −1 Original line number Diff line number Diff line Loading @@ -272,7 +272,12 @@ void MetaData::typed_data::setData( mType = type; allocateStorage(size); memcpy(storage(), data, size); void *dst = storage(); if (!dst) { ALOGE("Couldn't allocate %zu bytes for item", size); return; } memcpy(dst, data, size); } void MetaData::typed_data::getData( Loading media/libstagefright/matroska/MatroskaExtractor.cpp +14 −1 Original line number Diff line number Diff line Loading @@ -865,25 +865,38 @@ status_t addVorbisCodecInfo( size_t offset = 1; size_t len1 = 0; while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) { if (len1 > (SIZE_MAX - 0xff)) { return ERROR_MALFORMED; // would overflow } len1 += 0xff; ++offset; } if (offset >= codecPrivateSize) { return ERROR_MALFORMED; } if (len1 > (SIZE_MAX - codecPrivate[offset])) { return ERROR_MALFORMED; // would overflow } len1 += codecPrivate[offset++]; size_t len2 = 0; while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) { if (len2 > (SIZE_MAX - 0xff)) { return ERROR_MALFORMED; // would overflow } len2 += 0xff; ++offset; } if (offset >= codecPrivateSize) { return ERROR_MALFORMED; } if (len2 > (SIZE_MAX - codecPrivate[offset])) { return ERROR_MALFORMED; // would overflow } len2 += codecPrivate[offset++]; if (codecPrivateSize < offset + len1 + len2) { if (len1 > SIZE_MAX - len2 || offset > SIZE_MAX - (len1 + len2) || codecPrivateSize < offset + len1 + len2) { return ERROR_MALFORMED; } Loading Loading
media/libstagefright/MetaData.cpp +6 −1 Original line number Diff line number Diff line Loading @@ -272,7 +272,12 @@ void MetaData::typed_data::setData( mType = type; allocateStorage(size); memcpy(storage(), data, size); void *dst = storage(); if (!dst) { ALOGE("Couldn't allocate %zu bytes for item", size); return; } memcpy(dst, data, size); } void MetaData::typed_data::getData( Loading
media/libstagefright/matroska/MatroskaExtractor.cpp +14 −1 Original line number Diff line number Diff line Loading @@ -865,25 +865,38 @@ status_t addVorbisCodecInfo( size_t offset = 1; size_t len1 = 0; while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) { if (len1 > (SIZE_MAX - 0xff)) { return ERROR_MALFORMED; // would overflow } len1 += 0xff; ++offset; } if (offset >= codecPrivateSize) { return ERROR_MALFORMED; } if (len1 > (SIZE_MAX - codecPrivate[offset])) { return ERROR_MALFORMED; // would overflow } len1 += codecPrivate[offset++]; size_t len2 = 0; while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) { if (len2 > (SIZE_MAX - 0xff)) { return ERROR_MALFORMED; // would overflow } len2 += 0xff; ++offset; } if (offset >= codecPrivateSize) { return ERROR_MALFORMED; } if (len2 > (SIZE_MAX - codecPrivate[offset])) { return ERROR_MALFORMED; // would overflow } len2 += codecPrivate[offset++]; if (codecPrivateSize < offset + len1 + len2) { if (len1 > SIZE_MAX - len2 || offset > SIZE_MAX - (len1 + len2) || codecPrivateSize < offset + len1 + len2) { return ERROR_MALFORMED; } Loading
