Check for overflow of crypto sizecm-13.0

Bug: 111603051
Test: CTS
Change-Id: Ib5b1802b9b35769a25c16e2b977308cf7a810606
(cherry picked from commit d1fd02761236b35a336434367131f71bef7405c9)

1 files changed, 12 insertions, 1 deletions

diff --git a/media/ndk/NdkMediaCodec.cpp b/media/ndk/NdkMediaCodec.cpp
index cd0c4623ce..b6cec49195 100644
--- a/media/ndk/NdkMediaCodec.cpp
+++ b/media/ndk/NdkMediaCodec.cpp
@@ -421,7 +421,18 @@ AMediaCodecCryptoInfo *AMediaCodecCryptoInfo_new(
         size_t *encryptedbytes) {
 
     // size needed to store all the crypto data
-    size_t cryptosize = sizeof(AMediaCodecCryptoInfo) + sizeof(size_t) * numsubsamples * 2;
+    size_t cryptosize;
+    // = sizeof(AMediaCodecCryptoInfo) + sizeof(size_t) * numsubsamples * 2;
+    if (numsubsamples > SIZE_MAX / (sizeof(size_t) * 2)) {
+        ALOGE("crypto size overflow");
+        return NULL;
+    }
+    cryptosize = sizeof(size_t) * numsubsamples * 2;
+    if (sizeof(AMediaCodecCryptoInfo) > SIZE_MAX - cryptosize) {
+        ALOGE("crypto size overflow");
+        return NULL;
+    }
+    cryptosize += sizeof(AMediaCodecCryptoInfo);
     AMediaCodecCryptoInfo *ret = (AMediaCodecCryptoInfo*) malloc(cryptosize);
     if (!ret) {
         ALOGE("couldn't allocate %zu bytes", cryptosize);