libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.
Bug: 23247055
Change-Id: I29ef59c7ff09248063714e5013f7c33f66c5eebd
diff --git a/media/libstagefright/SampleTable.cpp b/media/libstagefright/SampleTable.cpp
index aeef99f..97dff43 100644
--- a/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/SampleTable.cpp
@@ -27,6 +27,11 @@
#include <media/stagefright/DataSource.h>
#include <media/stagefright/Utils.h>
+/* TODO: remove after being merged into other branches */
+#ifndef UINT32_MAX
+#define UINT32_MAX (4294967295U)
+#endif
+
namespace android {
// static
@@ -284,6 +289,9 @@
mDefaultSampleSize = U32_AT(&header[4]);
mNumSampleSizes = U32_AT(&header[8]);
+ if (mNumSampleSizes > (UINT32_MAX - 12) / 16) {
+ return ERROR_MALFORMED;
+ }
if (type == kSampleSizeType32) {
mSampleSizeFieldSize = 32;
@@ -507,7 +515,7 @@
void SampleTable::buildSampleEntriesTable() {
Mutex::Autolock autoLock(mLock);
- if (mSampleTimeEntries != NULL) {
+ if (mSampleTimeEntries != NULL || mNumSampleSizes == 0) {
return;
}
@@ -552,6 +560,10 @@
uint32_t *sample_index, uint32_t flags) {
buildSampleEntriesTable();
+ if (mSampleTimeEntries == NULL) {
+ return ERROR_OUT_OF_RANGE;
+ }
+
uint32_t left = 0;
uint32_t right_plus_one = mNumSampleSizes;
while (left < right_plus_one) {
diff --git a/media/libstagefright/include/SampleTable.h b/media/libstagefright/include/SampleTable.h
index d06df7b..460492b 100644
--- a/media/libstagefright/include/SampleTable.h
+++ b/media/libstagefright/include/SampleTable.h
@@ -142,8 +142,9 @@
// normally we don't round
inline uint64_t getSampleTime(
size_t sample_index, uint64_t scale_num, uint64_t scale_den) const {
- return (mSampleTimeEntries[sample_index].mCompositionTime
- * scale_num) / scale_den;
+ return (sample_index < (size_t)mNumSampleSizes && mSampleTimeEntries != NULL
+ && scale_den != 0)
+ ? (mSampleTimeEntries[sample_index].mCompositionTime * scale_num) / scale_den : 0;
}
status_t getSampleSize_l(uint32_t sample_index, size_t *sample_size);
