Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c5ecdd49 authored by Songyue Han's avatar Songyue Han
Browse files

Initialize mRowBytes and mSize with overflow check. 

Bug: b/233006499
Test: libstagefright_frameDecoder_fuzzer
Change-Id: Ia1d1b65164e142c6431aead18073c121a531994a
parent f94198d7

include/private/media/VideoFrame.h

+8 −3
Original line number Original line Diff line number Diff line
@@ -42,9 +42,14 @@ public: 
        mWidth(width), mHeight(height),

        mWidth(width), mHeight(height),

        mDisplayWidth(displayWidth), mDisplayHeight(displayHeight),

        mDisplayWidth(displayWidth), mDisplayHeight(displayHeight),

        mTileWidth(tileWidth), mTileHeight(tileHeight), mDurationUs(0),

        mTileWidth(tileWidth), mTileHeight(tileHeight), mDurationUs(0),

        mRotationAngle(angle), mBytesPerPixel(bpp), mRowBytes(bpp * width),

        mRotationAngle(angle), mBytesPerPixel(bpp), mIccSize(iccSize),

        mSize(hasData ? (bpp * width * height) : 0),

        mBitDepth(bitDepth) {

        mIccSize(iccSize), mBitDepth(bitDepth) {

            uint32_t multVal;

            mRowBytes = __builtin_mul_overflow(bpp, width, &multVal) ? 0 : multVal;

            mSize = __builtin_mul_overflow(multVal, height, &multVal) ? 0 : multVal;

            if (hasData && (mRowBytes == 0 || mSize == 0)) {

                ALOGE("Frame rowBytes/ size overflow %dx%d bpp %d", width, height, bpp);

            }

    }

    }





    void init(const VideoFrame& copy, const void* iccData, size_t iccSize) {

    void init(const VideoFrame& copy, const void* iccData, size_t iccSize) {