diff options
| author | Marco Nelissen <marcone@google.com> | 2015-08-04 16:49:28 -0700 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-19 01:31:12 +0200 |
| commit | 7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08 (patch) | |
| tree | bd7a222e85142c8c5bb5ed81c4323e191b395002 | |
| parent | 7bf55c9cb03af91c92071c07e4206936b04b397c (diff) | |
| download | frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.zip frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.tar.gz frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.tar.bz2 | |
Fix crash on malformed id3
Bug: 22954006
Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
| -rw-r--r-- | include/media/stagefright/MetaData.h | 2 | ||||
| -rw-r--r-- | media/libstagefright/MetaData.cpp | 32 | ||||
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 6 |
3 files changed, 27 insertions, 13 deletions
diff --git a/include/media/stagefright/MetaData.h b/include/media/stagefright/MetaData.h index e91904c..6249284 100644 --- a/include/media/stagefright/MetaData.h +++ b/include/media/stagefright/MetaData.h @@ -239,7 +239,7 @@ private: return mSize <= sizeof(u.reservoir); } - void allocateStorage(size_t size); + void *allocateStorage(size_t size); void freeStorage(); void *storage() { diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp index 642d15a..41d2b23 100644 --- a/media/libstagefright/MetaData.cpp +++ b/media/libstagefright/MetaData.cpp @@ -230,8 +230,11 @@ MetaData::typed_data::~typed_data() { MetaData::typed_data::typed_data(const typed_data &from) : mType(from.mType), mSize(0) { - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } MetaData::typed_data &MetaData::typed_data::operator=( @@ -239,8 +242,10 @@ MetaData::typed_data &MetaData::typed_data::operator=( if (this != &from) { clear(); mType = from.mType; - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } return *this; @@ -257,13 +262,11 @@ void MetaData::typed_data::setData( clear(); mType = type; - allocateStorage(size); - void *dst = storage(); - if (!dst) { - ALOGE("Couldn't allocate %zu bytes for item", size); - return; + + void *dst = allocateStorage(size); + if (dst) { + memcpy(dst, data, size); } - memcpy(dst, data, size); } void MetaData::typed_data::getData( @@ -273,14 +276,19 @@ void MetaData::typed_data::getData( *data = storage(); } -void MetaData::typed_data::allocateStorage(size_t size) { +void *MetaData::typed_data::allocateStorage(size_t size) { mSize = size; if (usesReservoir()) { - return; + return &u.reservoir; } u.ext_data = malloc(mSize); + if (u.ext_data == NULL) { + ALOGE("Couldn't allocate %zu bytes for item", size); + mSize = 0; + } + return u.ext_data; } void MetaData::typed_data::freeStorage() { diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 22c2f5a..93176c5 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -776,6 +776,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const { size_t descLen = StringSize(&data[2 + mimeLen], encoding); + if (size < 2 || + size - 2 < mimeLen || + size - 2 - mimeLen < descLen) { + ALOGW("bogus album art sizes"); + return NULL; + } *length = size - 2 - mimeLen - descLen; return &data[2 + mimeLen + descLen]; |