Mitigate issues around arithmetic overflow am: a2c1f6a13f
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/14251625
Change-Id: I55647bf06ae54f4162a7a507d075a8ee39454809
diff --git a/media/extractors/wav/WAVExtractor.cpp b/media/extractors/wav/WAVExtractor.cpp
index 901b29d..9e94587 100644
--- a/media/extractors/wav/WAVExtractor.cpp
+++ b/media/extractors/wav/WAVExtractor.cpp
@@ -440,19 +440,22 @@
int64_t seekTimeUs;
ReadOptions::SeekMode mode;
if (options != NULL && options->getSeekTo(&seekTimeUs, &mode)) {
- int64_t pos = 0;
-
+ int64_t pos;
+ int64_t sampleNumber;
+ bool overflowed = __builtin_mul_overflow(seekTimeUs, mSampleRate, &sampleNumber);
+ sampleNumber /= 1000000;
if (mWaveFormat == WAVE_FORMAT_MSGSM) {
// 65 bytes decode to 320 8kHz samples
- int64_t samplenumber = (seekTimeUs * mSampleRate) / 1000000;
- int64_t framenumber = samplenumber / 320;
- pos = framenumber * 65;
+ pos = sampleNumber / 320 * 65;
} else {
- pos = (seekTimeUs * mSampleRate) / 1000000 * mNumChannels * (mBitsPerSample >> 3);
+ int64_t bytesPerFrame;
+ overflowed |= __builtin_mul_overflow(mNumChannels, mBitsPerSample >> 3, &bytesPerFrame);
+ overflowed |= __builtin_mul_overflow(bytesPerFrame, sampleNumber, &pos);
}
- if (pos > (off64_t)mSize) {
- pos = mSize;
+ if (overflowed) {
+ return AMEDIA_ERROR_MALFORMED;
}
+ pos = std::clamp(pos, (int64_t) 0, (int64_t) mSize);
mCurrentPos = pos + mOffset;
}