Fix crash on malformed id3

Bug: 22954006 Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
author: Marco Nelissen <marcone@google.com> 2015-08-04 16:49:28 -0700
committer: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2015-10-19 01:31:12 +0200
commit: 7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08 (patch)
tree: bd7a222e85142c8c5bb5ed81c4323e191b395002 /media/libstagefright/id3/ID3.cpp
parent: 7bf55c9cb03af91c92071c07e4206936b04b397c (diff)
download: frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.zip
frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.tar.gz
frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 22c2f5a..93176c5 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -776,6 +776,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
 
             size_t descLen = StringSize(&data[2 + mimeLen], encoding);
 
+            if (size < 2 ||
+                    size - 2 < mimeLen ||
+                    size - 2 - mimeLen < descLen) {
+                ALOGW("bogus album art sizes");
+                return NULL;
+            }
             *length = size - 2 - mimeLen - descLen;
 
             return &data[2 + mimeLen + descLen];
author	Marco Nelissen <marcone@google.com>	2015-08-04 16:49:28 -0700
committer	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2015-10-19 01:31:12 +0200
commit	7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08 (patch)
tree	bd7a222e85142c8c5bb5ed81c4323e191b395002 /media/libstagefright/id3/ID3.cpp
parent	7bf55c9cb03af91c92071c07e4206936b04b397c (diff)
download	frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.zip frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.tar.gz frameworks_av-7f19016ed47b1fa709a0f4bb4fa7a48f3d70ed08.tar.bz2