Loading media/libstagefright/SampleTable.cpp +14 −13 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ //#define LOG_NDEBUG 0 #include <utils/Log.h> #include <limits> #include "include/SampleTable.h" #include "include/SampleIterator.h" Loading Loading @@ -45,6 +47,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2'); //////////////////////////////////////////////////////////////////////////////// const off64_t kMaxOffset = std::numeric_limits<off64_t>::max(); struct SampleTable::CompositionDeltaLookup { CompositionDeltaLookup(); Loading Loading @@ -233,11 +237,11 @@ status_t SampleTable::setSampleToChunkParams( mNumSampleToChunkOffsets = U32_AT(&header[4]); if ((data_size - 8) / 12 < mNumSampleToChunkOffsets) { if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) { return ERROR_MALFORMED; } if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <= (uint64_t)mNumSampleToChunkOffsets) { ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; Loading Loading @@ -269,21 +273,19 @@ status_t SampleTable::setSampleToChunkParams( return OK; } if ((off64_t)(SIZE_MAX - 8 - if ((off64_t)(kMaxOffset - 8 - ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) < mSampleToChunkOffset) { return ERROR_MALFORMED; } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; if ((off64_t)(SIZE_MAX - 8 - (i * 12)) < mSampleToChunkOffset) { return ERROR_MALFORMED; } uint8_t buffer[sizeof(SampleToChunkEntry)]; if (mDataSource->readAt( mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer)) mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry), buffer, sizeof(buffer)) != (ssize_t)sizeof(buffer)) { return ERROR_IO; } Loading Loading @@ -384,8 +386,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); if ((uint64_t)mTimeToSampleCount > (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. Loading Loading @@ -469,7 +470,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(int32_t); if (allocSize > SIZE_MAX) { if (allocSize > kMaxTotalSize) { ALOGE("Composition-time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } Loading Loading @@ -536,7 +537,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); if (allocSize > SIZE_MAX) { if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; } Loading Loading
media/libstagefright/SampleTable.cpp +14 −13 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ //#define LOG_NDEBUG 0 #include <utils/Log.h> #include <limits> #include "include/SampleTable.h" #include "include/SampleIterator.h" Loading Loading @@ -45,6 +47,8 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2'); //////////////////////////////////////////////////////////////////////////////// const off64_t kMaxOffset = std::numeric_limits<off64_t>::max(); struct SampleTable::CompositionDeltaLookup { CompositionDeltaLookup(); Loading Loading @@ -233,11 +237,11 @@ status_t SampleTable::setSampleToChunkParams( mNumSampleToChunkOffsets = U32_AT(&header[4]); if ((data_size - 8) / 12 < mNumSampleToChunkOffsets) { if ((data_size - 8) / sizeof(SampleToChunkEntry) < mNumSampleToChunkOffsets) { return ERROR_MALFORMED; } if ((uint64_t)SIZE_MAX / sizeof(SampleToChunkEntry) <= if ((uint64_t)kMaxTotalSize / sizeof(SampleToChunkEntry) <= (uint64_t)mNumSampleToChunkOffsets) { ALOGE("Sample-to-chunk table size too large."); return ERROR_OUT_OF_RANGE; Loading Loading @@ -269,21 +273,19 @@ status_t SampleTable::setSampleToChunkParams( return OK; } if ((off64_t)(SIZE_MAX - 8 - if ((off64_t)(kMaxOffset - 8 - ((mNumSampleToChunkOffsets - 1) * sizeof(SampleToChunkEntry))) < mSampleToChunkOffset) { return ERROR_MALFORMED; } for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) { uint8_t buffer[12]; if ((off64_t)(SIZE_MAX - 8 - (i * 12)) < mSampleToChunkOffset) { return ERROR_MALFORMED; } uint8_t buffer[sizeof(SampleToChunkEntry)]; if (mDataSource->readAt( mSampleToChunkOffset + 8 + i * 12, buffer, sizeof(buffer)) mSampleToChunkOffset + 8 + i * sizeof(SampleToChunkEntry), buffer, sizeof(buffer)) != (ssize_t)sizeof(buffer)) { return ERROR_IO; } Loading Loading @@ -384,8 +386,7 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); if ((uint64_t)mTimeToSampleCount > (uint64_t)UINT32_MAX / (2 * sizeof(uint32_t))) { if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { // Choose this bound because // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one // time-to-sample entry in the time-to-sample table. Loading Loading @@ -469,7 +470,7 @@ status_t SampleTable::setCompositionTimeToSampleParams( mNumCompositionTimeDeltaEntries = numEntries; uint64_t allocSize = (uint64_t)numEntries * 2 * sizeof(int32_t); if (allocSize > SIZE_MAX) { if (allocSize > kMaxTotalSize) { ALOGE("Composition-time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } Loading Loading @@ -536,7 +537,7 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) } uint64_t allocSize = (uint64_t)mNumSyncSamples * sizeof(uint32_t); if (allocSize > SIZE_MAX) { if (allocSize > kMaxTotalSize) { ALOGE("Sync sample table size too large."); return ERROR_OUT_OF_RANGE; } Loading
