libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.

Bug: 23247055 Change-Id: I29ef59c7ff09248063714e5013f7c33f66c5eebd (cherry picked from commit 3564c456) (cherry picked from commit 108cd2dc)

libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.
Bug: 23247055 Change-Id: I29ef59c7ff09248063714e5013f7c33f66c5eebd (cherry picked from commit 3564c456) (cherry picked from commit 108cd2dc)
99156461 · Wei Jia · The Android Automerger · 749cc1e7 · 99156461 · 99156461
Commit 99156461 authored 9 years ago by Wei Jia Committed by The Android Automerger 9 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 3 deletions

media/libstagefright/SampleTable.cpp media/libstagefright/SampleTable.cpp +13 -1

media/libstagefright/include/SampleTable.h media/libstagefright/include/SampleTable.h +3 -2

No files found.
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -27,6 +27,11 @@
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/Utils.h>

+/* TODO: remove after being merged into other branches */
+#ifndef UINT32_MAX
+#define UINT32_MAX       (4294967295U)
+#endif
+
 namespace android {

 // static
@@ -282,6 +287,9 @@ status_t SampleTable::setSampleSizeParams(

    mDefaultSampleSize = U32_AT(&header[4]);
    mNumSampleSizes = U32_AT(&header[8]);
+    if (mNumSampleSizes > (UINT32_MAX - 12) / 16) {
+        return ERROR_MALFORMED;
+    }

    if (type == kSampleSizeType32) {
        mSampleSizeFieldSize = 32;
@@ -498,7 +506,7 @@ int SampleTable::CompareIncreasingTime(const void *_a, const void *_b) {
 void SampleTable::buildSampleEntriesTable() {
    Mutex::Autolock autoLock(mLock);

-    if (mSampleTimeEntries != NULL) {
+    if (mSampleTimeEntries != NULL || mNumSampleSizes == 0) {
        return;
    }

@@ -541,6 +549,10 @@ status_t SampleTable::findSampleAtTime(
        uint32_t *sample_index, uint32_t flags) {
    buildSampleEntriesTable();

+    if (mSampleTimeEntries == NULL) {
+        return ERROR_OUT_OF_RANGE;
+    }
+
    uint32_t left = 0;
    uint32_t right_plus_one = mNumSampleSizes;
    while (left < right_plus_one) {

--- a/media/libstagefright/include/SampleTable.h
+++ b/media/libstagefright/include/SampleTable.h
@@ -142,8 +142,9 @@ private:
    // normally we don't round
    inline uint64_t getSampleTime(
            size_t sample_index, uint64_t scale_num, uint64_t scale_den) const {
-        return (mSampleTimeEntries[sample_index].mCompositionTime
-            * scale_num) / scale_den;
+        return (sample_index < (size_t)mNumSampleSizes && mSampleTimeEntries != NULL
+                && scale_den != 0)
+                ? (mSampleTimeEntries[sample_index].mCompositionTime * scale_num) / scale_den : 0;
    }

    status_t getSampleSize_l(uint32_t sample_index, size_t *sample_size);