diff options
author | Dongwon Kang <dwkang@google.com> | 2019-05-15 16:18:35 -0700 |
---|---|---|
committer | Bryan Ferris <bferris@google.com> | 2020-02-24 12:25:02 -0800 |
commit | ad90ca79ba8470d430032a188b6f76284f4aa9b8 (patch) | |
tree | 7936334906c2f300c7dba088df28c448d41a64f0 | |
parent | 0db35529c7b1aaf7c08d59f22297781cf5195712 (diff) | |
download | frameworks_av-ad90ca79ba8470d430032a188b6f76284f4aa9b8.tar.gz frameworks_av-ad90ca79ba8470d430032a188b6f76284f4aa9b8.tar.bz2 frameworks_av-ad90ca79ba8470d430032a188b6f76284f4aa9b8.zip |
Add more size checking for 'stts' box
Note: new limit, data_size - 8, should be smaller than the previous one,
UINT_MAX, since we global atom size checking with kMaxAtomSize, 2^26.
Test: run poc
Bug: 127973550
Change-Id: I1744d71d2e10183dd2bebfd01b15d9ee5998fdf3
-rw-r--r-- | media/extractors/mp4/SampleTable.cpp | 11 |
1 files changed, 1 insertions, 10 deletions
diff --git a/media/extractors/mp4/SampleTable.cpp b/media/extractors/mp4/SampleTable.cpp index 6558033eee..e7e8901bf1 100644 --- a/media/extractors/mp4/SampleTable.cpp +++ b/media/extractors/mp4/SampleTable.cpp @@ -391,20 +391,11 @@ status_t SampleTable::setTimeToSampleParams( } mTimeToSampleCount = U32_AT(&header[4]); - if (mTimeToSampleCount > UINT32_MAX / (2 * sizeof(uint32_t))) { - // Choose this bound because - // 1) 2 * sizeof(uint32_t) is the amount of memory needed for one - // time-to-sample entry in the time-to-sample table. - // 2) mTimeToSampleCount is the number of entries of the time-to-sample - // table. - // 3) We hope that the table size does not exceed UINT32_MAX. + if (mTimeToSampleCount > (data_size - 8) / (2 * sizeof(uint32_t))) { ALOGE("Time-to-sample table size too large."); return ERROR_OUT_OF_RANGE; } - // Note: At this point, we know that mTimeToSampleCount * 2 will not - // overflow because of the above condition. - uint64_t allocSize = (uint64_t)mTimeToSampleCount * 2 * sizeof(uint32_t); mTotalSize += allocSize; if (mTotalSize > kMaxTotalSize) { |