commit e358e2190aa61e5d8e28b1df698a82eecd47ead2
author Marco Nelissen <marcone@google.com> Wed Jun 08 23:43:43 2016 +0000
committer android-build-merger <android-build-merger@google.com> Wed Jun 08 23:43:43 2016 +0000
tree e202405345149df7cd561ee3211ae7fc254ec42f
parent 247a92eec4b0a8e4a9fd31b2755e96928b2895d0
parent 6b478e2c566c12d400affc35f102807ef29fc1d3

Fix potential overflow am: d0090759e7 am: f5d9360be0 am: 08cb85206a am: 20062e9ea6 am: 999c3ea23b am: 7f4bf86afd am: 356a30b4cb am: 9da2f9de13 am: 24a01b2940 am: aae6e3a42a
am: 6b478e2c56

Change-Id: I8de38ccee100e5f363292f24c8375e05726a154d

media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c

diff --git a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
index 9517d0a..799bd16 100644
--- a/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
+++ b/media/libstagefright/codecs/on2/h264dec/source/h264bsd_dpb.c
@@ -60,6 +60,7 @@
 #include "h264bsd_util.h"
 #include "basetype.h"
 
+#include <log/log.h>
 /*------------------------------------------------------------------------------
     2. External compiler flags
 --------------------------------------------------------------------------------
@@ -998,6 +999,13 @@
     ASSERT(maxFrameNum);
     ASSERT(dpbSize);
 
+    // see comment in loop below about size calculation
+    if (picSizeInMbs > (UINT32_MAX - 32 - 15) / 384) {
+        ALOGE("b/28533562");
+        android_errorWriteLog(0x534e4554, "28533562");
+        return(MEMORY_ALLOCATION_ERROR);
+    }
+
     dpb->maxLongTermFrameIdx = NO_LONG_TERM_FRAME_INDICES;
     dpb->maxRefFrames        = MAX(maxRefFrames, 1);
     if (noReordering)