Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5516181 authored by Sungtak Lee's avatar Sungtak Lee
Browse files

libstagefright: Check overflow during VideoFrame creation 

During VideoFrame creation, prevent overflow of size calculation or
displayWidth calculation.

Bug: 180357299
Change-Id: I076f957846e12e68a3ba72495d48c0103ccf4adf
parent 0e1707c0

media/libstagefright/FrameDecoder.cpp

+16 −0
Original line number Diff line number Diff line
@@ -67,6 +67,12 @@ sp<IMemory> allocVideoFrame(const sp<MetaData>& trackMeta, 
    if (trackMeta->findInt32(kKeySARWidth, &sarWidth)

            && trackMeta->findInt32(kKeySARHeight, &sarHeight)

            && sarHeight != 0) {

        int32_t multVal;

        if (width < 0 || sarWidth < 0 ||

            __builtin_mul_overflow(width, sarWidth, &multVal)) {

            ALOGE("displayWidth overflow %dx%d", width, sarWidth);

            return NULL;

        }

        displayWidth = (width * sarWidth) / sarHeight;

        displayHeight = height;

    } else if (trackMeta->findInt32(kKeyDisplayWidth, &displayWidth)
@@ -87,6 +93,16 @@ sp<IMemory> allocVideoFrame(const sp<MetaData>& trackMeta, 
        rotationAngle = 0;

    }



    if (!metaOnly) {

        int32_t multVal;

        if (width < 0 || height < 0 || dstBpp < 0 ||

            __builtin_mul_overflow(dstBpp, width, &multVal) ||

            __builtin_mul_overflow(multVal, height, &multVal)) {

            ALOGE("Frame size overflow %dx%d bpp %d", width, height, dstBpp);

            return NULL;

        }

    }



    VideoFrame frame(width, height, displayWidth, displayHeight,

            tileWidth, tileHeight, rotationAngle, dstBpp, !metaOnly, iccSize);