Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc9ab7cd authored by Wonsik Kim's avatar Wonsik Kim Committed by Android (Google) Code Review
Browse files

Merge "Ogg: avoid size_t overflow in base64 decoding" into mnc-dev

parents d35955dd 76483691

media/libstagefright/OggExtractor.cpp

+15 −5
Original line number Diff line number Diff line
@@ -1220,11 +1220,14 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { 
        }

    }



    size_t outLen = 3 * size / 4 - padding;



    *outSize = outLen;

    // We divide first to avoid overflow. It's OK to do this because we

    // already made sure that size % 4 == 0.

    size_t outLen = (size / 4) * 3 - padding;



    void *buffer = malloc(outLen);

    if (buffer == NULL) {

        return NULL;

    }



    uint8_t *out = (uint8_t *)buffer;

    size_t j = 0;
@@ -1243,10 +1246,10 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { 
        } else if (c == '/') {

            value = 63;

        } else if (c != '=') {

            return NULL;

            break;

        } else {

            if (i < n - padding) {

                return NULL;

                break;

            }



            value = 0;
@@ -1264,6 +1267,13 @@ static uint8_t *DecodeBase64(const char *s, size_t size, size_t *outSize) { 
        }

    }



    // Check if we exited the loop early.

    if (j < outLen) {

        free(buffer);

        return NULL;

    }



    *outSize = outLen;

    return (uint8_t *)buffer;

}