Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / 014a9ed60d587b1b648e24a1f1d6873578e41758^! / .
commit014a9ed60d587b1b648e24a1f1d6873578e41758[log] [tgz]
authorSongyue Han <songyueh@google.com>Thu Oct 27 20:27:10 2022 +0000
committerSongyue Han <songyueh@google.com>Fri Jan 13 01:04:35 2023 +0000
treed801cc416472ae0a0b70056c2290fc962d1b6975
parent208cfff3b5bed04fdb626bc3bbe99a1b484dd02e [diff]
Initialize mRowBytes and mSize with overflow check.

Bug: b/233006499
Test: libstagefright_frameDecoder_fuzzer
Merged-In: Ia1d1b65164e142c6431aead18073c121a531994a
Change-Id: Ia1d1b65164e142c6431aead18073c121a531994a

diff --git a/include/private/media/VideoFrame.h b/include/private/media/VideoFrame.h
index d4025e5..78ea2a1 100644
--- a/include/private/media/VideoFrame.h
+++ b/include/private/media/VideoFrame.h

@@ -42,9 +42,15 @@
         mWidth(width), mHeight(height),
         mDisplayWidth(displayWidth), mDisplayHeight(displayHeight),
         mTileWidth(tileWidth), mTileHeight(tileHeight), mDurationUs(0),
-        mRotationAngle(angle), mBytesPerPixel(bpp), mRowBytes(bpp * width),
-        mSize(hasData ? (bpp * width * height) : 0),
-        mIccSize(iccSize), mBitDepth(bitDepth) {
+        mRotationAngle(angle), mBytesPerPixel(bpp), mIccSize(iccSize),
+        mBitDepth(bitDepth) {
+            uint32_t multVal;
+            mRowBytes = __builtin_mul_overflow(bpp, width, &multVal) ? 0 : multVal;
+            mSize = __builtin_mul_overflow(multVal, height, &multVal) ? 0 : multVal;
+            if (hasData && (mRowBytes == 0 || mSize == 0)) {
+                ALOGE("Frame rowBytes/ size overflow %dx%d bpp %d", width, height, bpp);
+                android_errorWriteLog(0x534e4554, "233006499");
+            }
     }
 
     void init(const VideoFrame& copy, const void* iccData, size_t iccSize) {