stagefright: MPEG4Writer: fix Integer overflow unsigned int was getting assigned to a negative value, which in turn was leading to a crash in htonl. Bug: 34757428 Test: Builds cleanly Change-Id: Iacb580adc5b84cef09feabcb3e1b394a7e80bc40

commit: 0d3d9531716705787bd2168023a91772163d5e0a [log] [tgz]
author: Mahesh Lanka <mlanka@codeaurora.org> Mon Jan 23 16:07:19 2017 +0530
committer: Andrew Lehmer <alehmer@google.com> Thu Mar 02 14:40:24 2017 -0800
tree: da1bbbf65b50987fe09965192de90416d2cf719b
parent: 2928d74e1e6ed54ee80778de0fe1c988e2a0f1b5 [diff]
diff --git a/media/libstagefright/MPEG4Writer.cpp b/media/libstagefright/MPEG4Writer.cpp
index d46ef3c..cafedba 100755
--- a/media/libstagefright/MPEG4Writer.cpp
+++ b/media/libstagefright/MPEG4Writer.cpp

@@ -3669,11 +3669,19 @@
 
     mOwner->beginBox("ctts");
     mOwner->writeInt32(0);  // version=0, flags=0
-    uint32_t delta = mMinCttsOffsetTimeUs - getStartTimeOffsetScaledTime();
+    int64_t delta = mMinCttsOffsetTimeUs - getStartTimeOffsetScaledTime();
     mCttsTableEntries->adjustEntries([delta](size_t /* ix */, uint32_t (&value)[2]) {
         // entries are <count, ctts> pairs; adjust only ctts
         uint32_t duration = htonl(value[1]); // back to host byte order
-        value[1] = htonl(duration - delta);
+        // Prevent overflow and underflow
+        if (delta > duration) {
+            duration = 0;
+        } else if (delta < 0 && UINT32_MAX + delta < duration) {
+            duration = UINT32_MAX;
+        } else {
+            duration -= delta;
+        }
+        value[1] = htonl(duration);
     });
     mCttsTableEntries->write(mOwner);
     mOwner->endBox();  // ctts
commit	0d3d9531716705787bd2168023a91772163d5e0a	[log] [tgz]
author	Mahesh Lanka <mlanka@codeaurora.org>	Mon Jan 23 16:07:19 2017 +0530
committer	Andrew Lehmer <alehmer@google.com>	Thu Mar 02 14:40:24 2017 -0800
tree	da1bbbf65b50987fe09965192de90416d2cf719b
parent	2928d74e1e6ed54ee80778de0fe1c988e2a0f1b5 [diff]