Fix potential overflow Bug: 28533562 Change-Id: I798ab24caa4c81f3ba564cad7c9ee019284fb702 (cherry picked from commit d0090759e79208d7203280166018bb7d5d4f9d02)

commit: f8797d9ccf695eedaaf88942b7c9f955ec5ffdc1 [log] [tgz]
author: Marco Nelissen <marcone@google.com> Tue Jun 07 15:48:07 2016 -0700
committer: gitbuildkicker <android-build@google.com> Thu Jul 21 15:04:01 2016 -0700
tree: b5c064c32f571d0fd04115fbe209e5a4d2f534cf
parent: 855a538f8d5448aa137a3cffc0c6cf0212f6219e [diff]
diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
index 9517d0a..799bd16 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c

@@ -60,6 +60,7 @@
 #include "h264bsd_util.h"
 #include "basetype.h"
 
+#include <log/log.h>
 /*------------------------------------------------------------------------------
     2. External compiler flags
 --------------------------------------------------------------------------------
@@ -998,6 +999,13 @@
     ASSERT(maxFrameNum);
     ASSERT(dpbSize);
 
+    // see comment in loop below about size calculation
+    if (picSizeInMbs > (UINT32_MAX - 32 - 15) / 384) {
+        ALOGE("b/28533562");
+        android_errorWriteLog(0x534e4554, "28533562");
+        return(MEMORY_ALLOCATION_ERROR);
+    }
+
     dpb->maxLongTermFrameIdx = NO_LONG_TERM_FRAME_INDICES;
     dpb->maxRefFrames        = MAX(maxRefFrames, 1);
     if (noReordering)
commit	f8797d9ccf695eedaaf88942b7c9f955ec5ffdc1	[log] [tgz]
author	Marco Nelissen <marcone@google.com>	Tue Jun 07 15:48:07 2016 -0700
committer	gitbuildkicker <android-build@google.com>	Thu Jul 21 15:04:01 2016 -0700
tree	b5c064c32f571d0fd04115fbe209e5a4d2f534cf
parent	855a538f8d5448aa137a3cffc0c6cf0212f6219e [diff]