diff options
author | Wei Jia <wjia@google.com> | 2015-08-12 10:41:00 -0700 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-19 02:50:27 +0200 |
commit | 72ae58fdd991f50c084e615776cb5306825f7b19 (patch) | |
tree | cc23b5a276c8600c614866d5342e68b85e9d9e48 | |
parent | 86af210a9abd657f1f3b9571d347fa62e8ed85a1 (diff) | |
download | frameworks_av-72ae58fdd991f50c084e615776cb5306825f7b19.zip frameworks_av-72ae58fdd991f50c084e615776cb5306825f7b19.tar.gz frameworks_av-72ae58fdd991f50c084e615776cb5306825f7b19.tar.bz2 |
libstagefright: fix possible overflow in ID3.
Bug: 23129786
Change-Id: I2e6b7a6927aa4362ab49dd6824bbb1abf7b4e661
(cherry picked from commit 09da86913ca97d7a818a8917b6601527e5e18a24)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
-rw-r--r-- | media/libstagefright/id3/ID3.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 112f136..581f4be 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -283,7 +283,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { size_t oldSize = mSize; size_t offset = 0; - while (offset + 10 <= mSize) { + while (mSize >= 10 && offset <= mSize - 10) { if (!memcmp(&mData[offset], "\0\0\0\0", 4)) { break; } @@ -295,7 +295,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { return false; } - if (offset + dataSize + 10 > mSize) { + if (dataSize > mSize - 10 - offset) { return false; } @@ -305,6 +305,9 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { if (flags & 1) { // Strip data length indicator + if (mSize < 14 || mSize - 14 < offset) { + return false; + } memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14); mSize -= 4; dataSize -= 4; |