Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ed7ae95 authored by Dongwon Kang's avatar Dongwon Kang
Browse files

Add more size checking for 'stts' box 

Note: new limit, data_size - 8, should be smaller than the previous one,
UINT_MAX, since we global atom size checking with kMaxAtomSize, 2^26.

Test: run poc
Bug: 127973550
Change-Id: I1744d71d2e10183dd2bebfd01b15d9ee5998fdf3
parent 4dad6fcf

media/extractors/mp4/SampleTable.cpp

+1 −10
Original line number Diff line number Diff line
@@ -391,20 +391,11 @@ status_t SampleTable::setTimeToSampleParams( 
    }



    mTimeToSampleCount = U32_AT(&header[4]);

    if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) {

        // Choose this bound because

        // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one

        //    time-to-sample entry in the time-to-sample table.

        // 2) mTimeToSampleCount is the number of entries of the time-to-sample

        //    table.

        // 3) We hope that the table size does not exceed UINT32_MAX.

    if (mTimeToSampleCount > (data_size - 8) / (2 * sizeof(uint32_t))) {

        ALOGE("Time-to-sample table size too large.");

        return ERROR_OUT_OF_RANGE;

    }



    // Note: At this point, we know that mTimeToSampleCount * 2 will not

    // overflow because of the above condition.



    uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t);

    mTotalSize += allocSize;

    if (mTotalSize > kMaxTotalSize) {