Ogg: avoid size_t overflow in base64 decoding Bug: 23707088 Change-Id: I8d32841fee3213c721cdcc57788807ea64d19d74

commit: 085c1a8455b057df0ab685c467a0db50284d2700 [log] [tgz]
author: Wonsik Kim <wonsik@google.com> Wed Sep 02 16:02:19 2015 +0900
committer: The Android Automerger <android-build@android.com> Wed Oct 21 11:45:21 2015 -0700
tree: dc8dd950dd702c2aa78c552dde9b40d58066b9ce
parent: ded45e2a9c84ab4e43e224336b5028badf5f5c92 [diff]
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 45095fc..61af3c6 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp

@@ -893,11 +893,14 @@
         }
     }
 
-    size_t outLen = 3 * size / 4 - padding;
-
-    *outSize = outLen;
+    // We divide first to avoid overflow. It's OK to do this because we
+    // already made sure that size % 4 == 0.
+    size_t outLen = (size / 4) * 3 - padding;
 
     void *buffer = malloc(outLen);
+    if (buffer == NULL) {
+        return NULL;
+    }
 
     uint8_t *out = (uint8_t *)buffer;
     size_t j = 0;
@@ -916,10 +919,10 @@
         } else if (c == '/') {
             value = 63;
         } else if (c != '=') {
-            return NULL;
+            break;
         } else {
             if (i < n - padding) {
-                return NULL;
+                break;
             }
 
             value = 0;
@@ -937,6 +940,13 @@
         }
     }
 
+    // Check if we exited the loop early.
+    if (j < outLen) {
+        free(buffer);
+        return NULL;
+    }
+
+    *outSize = outLen;
     return (uint8_t *)buffer;
 }
commit	085c1a8455b057df0ab685c467a0db50284d2700	[log] [tgz]
author	Wonsik Kim <wonsik@google.com>	Wed Sep 02 16:02:19 2015 +0900
committer	The Android Automerger <android-build@android.com>	Wed Oct 21 11:45:21 2015 -0700
tree	dc8dd950dd702c2aa78c552dde9b40d58066b9ce
parent	ded45e2a9c84ab4e43e224336b5028badf5f5c92 [diff]