Fix potential overflow in WAV extractor
Bug: 170583712
Test: fuzzer poc, atest DecoderTest#testDecodeWav
Change-Id: I73edd5fc0da80dc2cdd26c6fcd09496b2c828ba9
Merged-In: I73edd5fc0da80dc2cdd26c6fcd09496b2c828ba9
(cherry picked from commit 7e151103ca63ee6c864824cc90f4ecb102cbc91e)
diff --git a/media/libstagefright/WAVExtractor.cpp b/media/libstagefright/WAVExtractor.cpp
index 780b746..70e613e 100644
--- a/media/libstagefright/WAVExtractor.cpp
+++ b/media/libstagefright/WAVExtractor.cpp
@@ -60,7 +60,7 @@
const sp<DataSource> &dataSource,
const sp<MetaData> &meta,
uint16_t waveFormat,
- int32_t bitsPerSample,
+ uint32_t bitsPerSample,
off64_t offset, size_t size);
virtual status_t start(MetaData *params = NULL);
@@ -81,9 +81,9 @@
sp<DataSource> mDataSource;
sp<MetaData> mMeta;
uint16_t mWaveFormat;
- int32_t mSampleRate;
- int32_t mNumChannels;
- int32_t mBitsPerSample;
+ uint32_t mSampleRate;
+ uint32_t mNumChannels;
+ uint32_t mBitsPerSample;
off64_t mOffset;
size_t mSize;
bool mStarted;
@@ -351,7 +351,7 @@
const sp<DataSource> &dataSource,
const sp<MetaData> &meta,
uint16_t waveFormat,
- int32_t bitsPerSample,
+ uint32_t bitsPerSample,
off64_t offset, size_t size)
: mDataSource(dataSource),
mMeta(meta),
@@ -363,8 +363,8 @@
mSize(size),
mStarted(false),
mGroup(NULL) {
- CHECK(mMeta->findInt32(kKeySampleRate, &mSampleRate));
- CHECK(mMeta->findInt32(kKeyChannelCount, &mNumChannels));
+ CHECK(mMeta->findInt32(kKeySampleRate, (int32_t*) &mSampleRate));
+ CHECK(mMeta->findInt32(kKeyChannelCount, (int32_t*) &mNumChannels));
mMeta->setInt32(kKeyMaxInputSize, kMaxFrameSize);
}
@@ -452,8 +452,8 @@
mBitsPerSample == 8 ? kMaxFrameSize / 2 :
(mBitsPerSample == 24 ? 3*(kMaxFrameSize/3): kMaxFrameSize);
- size_t maxBytesAvailable =
- (mCurrentPos - mOffset >= (off64_t)mSize)
+ const size_t maxBytesAvailable =
+ (mCurrentPos < mOffset || mCurrentPos - mOffset >= (off64_t)mSize)
? 0 : mSize - (mCurrentPos - mOffset);
if (maxBytesToRead > maxBytesAvailable) {
