commit fc842287cc2c1397c03a48f6d60a54e4dcf109f4
author Marco Nelissen <marcone@google.com> Tue Aug 14 10:30:37 2018 -0700
committer android-build-merger <android-build-merger@google.com> Tue Aug 14 10:30:37 2018 -0700
tree 1571edfe798912f1c44edc37199ff4f599cf270c
parent ff404db0d6611e86304075cf35a8835315bed63a
parent 960c43e6f5dc9b0683e80f5cd04fa8d5a73426ce

[automerger] Check for overflow of crypto size am: d1fd027612 am: fe8dc06116 am: 1d1379f47d am: 7b432adb13 am: 4572777872 am: 1b227ecd31
am: 960c43e6f5

Change-Id: I25778ee7a8acbafcb9fe4249fd2c8857612bb180

media/ndk/NdkMediaCodec.cpp

diff --git a/media/ndk/NdkMediaCodec.cpp b/media/ndk/NdkMediaCodec.cpp
index 128edba..f313e90 100644
--- a/media/ndk/NdkMediaCodec.cpp
+++ b/media/ndk/NdkMediaCodec.cpp
@@ -553,7 +553,13 @@
         size_t *encryptedbytes) {
 
     // size needed to store all the crypto data
-    size_t cryptosize = sizeof(AMediaCodecCryptoInfo) + sizeof(size_t) * numsubsamples * 2;
+    size_t cryptosize;
+    // = sizeof(AMediaCodecCryptoInfo) + sizeof(size_t) * numsubsamples * 2;
+    if (__builtin_mul_overflow(sizeof(size_t) * 2, numsubsamples, &cryptosize) ||
+            __builtin_add_overflow(cryptosize, sizeof(AMediaCodecCryptoInfo), &cryptosize)) {
+        ALOGE("crypto size overflow");
+        return NULL;
+    }
     AMediaCodecCryptoInfo *ret = (AMediaCodecCryptoInfo*) malloc(cryptosize);
     if (!ret) {
         ALOGE("couldn't allocate %zu bytes", cryptosize);