Fix potential overflow in WAV extractor
Bug: 170583712
Test: fuzzer poc, atest DecoderTest#testDecodeWav
Change-Id: I73edd5fc0da80dc2cdd26c6fcd09496b2c828ba9
Merged-In: I73edd5fc0da80dc2cdd26c6fcd09496b2c828ba9
(cherry picked from commit d3d872daadbf3de72e3af50ea96d73ff46d5c16b)
diff --git a/media/extractors/wav/WAVExtractor.cpp b/media/extractors/wav/WAVExtractor.cpp
index f5a1b01..837f8d0 100644
--- a/media/extractors/wav/WAVExtractor.cpp
+++ b/media/extractors/wav/WAVExtractor.cpp
@@ -60,7 +60,7 @@
DataSourceBase *dataSource,
MetaDataBase &meta,
uint16_t waveFormat,
- int32_t bitsPerSample,
+ uint32_t bitsPerSample,
off64_t offset, size_t size);
virtual status_t start(MetaDataBase *params = NULL);
@@ -81,9 +81,9 @@
DataSourceBase *mDataSource;
MetaDataBase &mMeta;
uint16_t mWaveFormat;
- int32_t mSampleRate;
- int32_t mNumChannels;
- int32_t mBitsPerSample;
+ uint32_t mSampleRate;
+ uint32_t mNumChannels;
+ uint32_t mBitsPerSample;
off64_t mOffset;
size_t mSize;
bool mStarted;
@@ -350,7 +350,7 @@
DataSourceBase *dataSource,
MetaDataBase &meta,
uint16_t waveFormat,
- int32_t bitsPerSample,
+ uint32_t bitsPerSample,
off64_t offset, size_t size)
: mDataSource(dataSource),
mMeta(meta),
@@ -362,8 +362,8 @@
mSize(size),
mStarted(false),
mGroup(NULL) {
- CHECK(mMeta.findInt32(kKeySampleRate, &mSampleRate));
- CHECK(mMeta.findInt32(kKeyChannelCount, &mNumChannels));
+ CHECK(mMeta.findInt32(kKeySampleRate, (int32_t*) &mSampleRate));
+ CHECK(mMeta.findInt32(kKeyChannelCount, (int32_t*) &mNumChannels));
mMeta.setInt32(kKeyMaxInputSize, kMaxFrameSize);
}
@@ -452,8 +452,8 @@
mBitsPerSample == 8 ? kMaxFrameSize / 2 :
(mBitsPerSample == 24 ? 3*(kMaxFrameSize/3): kMaxFrameSize);
- size_t maxBytesAvailable =
- (mCurrentPos - mOffset >= (off64_t)mSize)
+ const size_t maxBytesAvailable =
+ (mCurrentPos < mOffset || mCurrentPos - mOffset >= (off64_t)mSize)
? 0 : mSize - (mCurrentPos - mOffset);
if (maxBytesToRead > maxBytesAvailable) {