Fix for memory corruption in ID3::removeUnsynchronizationV2_4().

Bug: 23227354 Change-Id: Iaa36cfda4fd84ca7e039f56086fd61b4118020db (cherry picked from commit 77e23413a539df16503e356bd4df4a952f3abc47) Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
author: Neel Mehta <nmehta@google.com> 2015-08-14 17:38:48 -0700
committer: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2015-10-19 02:54:23 +0200
commit: e707ee311a688bfcfced3f5b9160a58ca6de95c9 (patch)
tree: 5c7b2cffc47ca883a6a56a1cc5a6aaa804d1caaa
parent: cb60edaf4944f25f36e6e790682b200bc981d3b2 (diff)
download: frameworks_av-e707ee311a688bfcfced3f5b9160a58ca6de95c9.zip
frameworks_av-e707ee311a688bfcfced3f5b9160a58ca6de95c9.tar.gz
frameworks_av-e707ee311a688bfcfced3f5b9160a58ca6de95c9.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 581f4be..052e0a3 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -305,7 +305,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
         if (flags & 1) {
             // Strip data length indicator
 
-            if (mSize < 14 || mSize - 14 < offset) {
+            if (mSize < 14 || mSize - 14 < offset || dataSize < 4) {
                 return false;
             }
             memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
author	Neel Mehta <nmehta@google.com>	2015-08-14 17:38:48 -0700
committer	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2015-10-19 02:54:23 +0200
commit	e707ee311a688bfcfced3f5b9160a58ca6de95c9 (patch)
tree	5c7b2cffc47ca883a6a56a1cc5a6aaa804d1caaa
parent	cb60edaf4944f25f36e6e790682b200bc981d3b2 (diff)
download	frameworks_av-e707ee311a688bfcfced3f5b9160a58ca6de95c9.zip frameworks_av-e707ee311a688bfcfced3f5b9160a58ca6de95c9.tar.gz frameworks_av-e707ee311a688bfcfced3f5b9160a58ca6de95c9.tar.bz2