Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b8343e4 authored by Takahiro Aizawa's avatar Takahiro Aizawa Committed by Wei Jia
Browse files

avc_utils: check delta_scale range to avoid overflow 

In some cases delta_scale can be negative value while lastScale is
defined as size_t which is unsigned. Adding negative value to unsigned
causes overflow which triggers crash because of compiler flags:
LOCAL_SANITIZE := unsigned-integer-overflow signed-integer-overflow

Test: play specific contents
Bug: 62213565

Author: Michal Piechowski <michal.piechowski@sonymobile.com>
Change-Id: I8b3ad12a95f977db56073c078c179290d8d92368
(cherry picked from commit 0dc618869098e67a2b60971b8699bfb8b8a85dc7)
parent 8f779cf3

media/libstagefright/avc_utils.cpp

+10 −1
Original line number Diff line number Diff line
@@ -80,7 +80,16 @@ static void skipScalingList(ABitReader *br, size_t sizeOfScalingList) { 
    for (size_t j = 0; j < sizeOfScalingList; ++j) {

        if (nextScale != 0) {

            signed delta_scale = parseSE(br);

            nextScale = (lastScale + delta_scale + 256) % 256;

            // ISO_IEC_14496-10_201402-ITU, 7.4.2.1.1.1, The value of delta_scale

            // shall be in the range of −128 to +127, inclusive.

            if (delta_scale < -128) {

                ALOGW("delta_scale (%d) is below range, capped to -128", delta_scale);

                delta_scale = -128;

            } else if (delta_scale > 127) {

                ALOGW("delta_scale (%d) is above range, capped to 127", delta_scale);

                delta_scale = 127;

            }

            nextScale = (lastScale + (delta_scale + 256)) % 256;

        }



        lastScale = (nextScale == 0) ? lastScale : nextScale;