Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9a3cbe46 authored by Joshua J. Drake's avatar Joshua J. Drake Committed by Jon Larimer
Browse files

Detect allocation failures and bail gracefully 

During the processing of several sample table related MP4 atoms, allocation
sizes could be large enough cause a std::bad_alloc exception to be raised. This
typically causes a crash (denial of service condition). Use std::nothrow to
catch allocation failures and return gracefully.

Bug: 20139950
Change-Id: I03d3f01b24e5fe3fa38985914bcfa694ea3dc09e
parent 0b572f5d

media/libstagefright/SampleTable.cpp

+16 −5
Original line number Original line Diff line number Diff line
@@ -234,7 +234,9 @@ status_t SampleTable::setSampleToChunkParams( 
        return ERROR_OUT_OF_RANGE;

        return ERROR_OUT_OF_RANGE;





    mSampleToChunkEntries =

    mSampleToChunkEntries =

        new SampleToChunkEntry[mNumSampleToChunkOffsets];

        new (std::nothrow) SampleToChunkEntry[mNumSampleToChunkOffsets];

    if (!mSampleToChunkEntries)

        return ERROR_OUT_OF_RANGE;





    for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {

    for (uint32_t i = 0; i < mNumSampleToChunkOffsets; ++i) {

        uint8_t buffer[12];

        uint8_t buffer[12];
@@ -337,7 +339,9 @@ status_t SampleTable::setTimeToSampleParams( 
    if (allocSize > SIZE_MAX) {

    if (allocSize > SIZE_MAX) {

        return ERROR_OUT_OF_RANGE;

        return ERROR_OUT_OF_RANGE;

    }

    }

    mTimeToSample = new uint32_t[mTimeToSampleCount * 2];

    mTimeToSample = new (std::nothrow) uint32_t[mTimeToSampleCount * 2];

    if (!mTimeToSample)

        return ERROR_OUT_OF_RANGE;





    size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;

    size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;

    if (mDataSource->readAt(

    if (mDataSource->readAt(
@@ -384,7 +388,9 @@ status_t SampleTable::setCompositionTimeToSampleParams( 
        return ERROR_OUT_OF_RANGE;

        return ERROR_OUT_OF_RANGE;

    }

    }





    mCompositionTimeDeltaEntries = new uint32_t[2 * numEntries];

    mCompositionTimeDeltaEntries = new (std::nothrow) uint32_t[2 * numEntries];

    if (!mCompositionTimeDeltaEntries)

        return ERROR_OUT_OF_RANGE;





    if (mDataSource->readAt(

    if (mDataSource->readAt(

                data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8)

                data_offset + 8, mCompositionTimeDeltaEntries, numEntries * 8)
@@ -434,7 +440,10 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size) 
        return ERROR_OUT_OF_RANGE;

        return ERROR_OUT_OF_RANGE;

    }

    }





    mSyncSamples = new uint32_t[mNumSyncSamples];

    mSyncSamples = new (std::nothrow) uint32_t[mNumSyncSamples];

    if (!mSyncSamples)

        return ERROR_OUT_OF_RANGE;



    size_t size = mNumSyncSamples * sizeof(uint32_t);

    size_t size = mNumSyncSamples * sizeof(uint32_t);

    if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)

    if (mDataSource->readAt(mSyncSampleOffset + 8, mSyncSamples, size)

            != (ssize_t)size) {

            != (ssize_t)size) {
@@ -502,7 +511,9 @@ void SampleTable::buildSampleEntriesTable() { 
        return;

        return;

    }

    }





    mSampleTimeEntries = new SampleTimeEntry[mNumSampleSizes];

    mSampleTimeEntries = new (std::nothrow) SampleTimeEntry[mNumSampleSizes];

    if (!mSampleTimeEntries)

        return;





    uint32_t sampleIndex = 0;

    uint32_t sampleIndex = 0;

    uint32_t sampleTime = 0;

    uint32_t sampleTime = 0;