Bug 1149605: Avoid potential integers overflow. r=kentuckyfriedtakahe

media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp

@@ -28,6 +28,8 @@
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/Utils.h>
 
+#include <stdint.h>
+
 namespace stagefright {
 
 // static
@@ -41,6 +43,9 @@ const uint32_t SampleTable::kSampleSizeTypeCompact = FOURCC('s', 't', 'z', '2');
 
 const uint32_t kAuxTypeCenc = FOURCC('c', 'e', 'n', 'c');
 
+static const uint32_t kMAX_ALLOCATION =
+    (SIZE_MAX < INT32_MAX ? SIZE_MAX : INT32_MAX) - 128;
+
 ////////////////////////////////////////////////////////////////////////////////
 
 struct SampleTable::CompositionDeltaLookup {
@@ -205,11 +210,11 @@ status_t SampleTable::setChunkOffsetParams(
     mNumChunkOffsets = U32_AT(&header[4]);
 
     if (mChunkOffsetType == kChunkOffsetType32) {
-        if (data_size < 8 + mNumChunkOffsets * 4) {
+        if (data_size < 8 + (uint64_t)mNumChunkOffsets * 4) {
             return ERROR_MALFORMED;
         }
     } else {
-        if (data_size < 8 + mNumChunkOffsets * 8) {
+        if (data_size < 8 + (uint64_t)mNumChunkOffsets * 8) {
             return ERROR_MALFORMED;
         }
     }
@@ -242,7 +247,7 @@ status_t SampleTable::setSampleToChunkParams(
 
     mNumSampleToChunkOffsets = U32_AT(&header[4]);
 
-    if (data_size < 8 + mNumSampleToChunkOffsets * 12) {
+    if (data_size < 8 + (uint64_t)mNumSampleToChunkOffsets * 12) {
         return ERROR_MALFORMED;
     }
 
@@ -306,7 +311,7 @@ status_t SampleTable::setSampleSizeParams(
             return OK;
         }
 
-        if (data_size < 12 + mNumSampleSizes * 4) {
+        if (data_size < 12 + (uint64_t)mNumSampleSizes * 4) {
             return ERROR_MALFORMED;
         }
     } else {
@@ -323,7 +328,7 @@ status_t SampleTable::setSampleSizeParams(
             return ERROR_MALFORMED;
         }
 
-        if (data_size < 12 + (mNumSampleSizes * mSampleSizeFieldSize + 4) / 8) {
+        if (data_size < 12 + ((uint64_t)mNumSampleSizes * mSampleSizeFieldSize + 4) / 8) {
             return ERROR_MALFORMED;
         }
     }
@@ -349,6 +354,10 @@ status_t SampleTable::setTimeToSampleParams(
     }
 
     mTimeToSampleCount = U32_AT(&header[4]);
+    if (mTimeToSampleCount > kMAX_ALLOCATION / 2 / sizeof(uint32_t)) {
+        // Avoid later overflow.
+        return ERROR_MALFORMED;
+    }
     mTimeToSample = new uint32_t[mTimeToSampleCount * 2];
 
     size_t size = sizeof(uint32_t) * mTimeToSampleCount * 2;
@@ -384,9 +393,9 @@ status_t SampleTable::setCompositionTimeToSampleParams(
         return ERROR_MALFORMED;
     }
 
-    size_t numEntries = U32_AT(&header[4]);
+    uint32_t numEntries = U32_AT(&header[4]);
 
-    if (data_size != (numEntries + 1) * 8) {
+    if (data_size != ((uint64_t)numEntries + 1) * 8) {
         return ERROR_MALFORMED;
     }
 
@@ -431,6 +440,10 @@ status_t SampleTable::setSyncSampleParams(off64_t data_offset, size_t data_size)
     }
 
     mNumSyncSamples = U32_AT(&header[4]);
+    if (mNumSyncSamples > kMAX_ALLOCATION / sizeof(uint32_t)) {
+        // Avoid later overflow.
+        return ERROR_MALFORMED;
+    }
 
     if (mNumSyncSamples < 2) {
         ALOGV("Table of sync samples is empty or has only a single entry!");
@@ -607,6 +620,11 @@ SampleTable::parseSampleCencInfo() {
         return ERROR_MALFORMED;
     }
 
+    if (mCencInfoCount > kMAX_ALLOCATION / sizeof(SampleCencInfo)) {
+        // Avoid future OOM.
+        return ERROR_MALFORMED;
+    }
+
     mCencInfo = new SampleCencInfo[mCencInfoCount];
     for (uint32_t i = 0; i < mCencInfoCount; i++) {
         mCencInfo[i].mSubsamples = NULL;