diff options
| author | Marco Nelissen <marcone@google.com> | 2015-08-06 08:03:47 -0700 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-19 02:47:17 +0200 |
| commit | 86af210a9abd657f1f3b9571d347fa62e8ed85a1 (patch) | |
| tree | 71a9be8bba5087256bbb9f1225561fcd53c41539 /media | |
| parent | c941cf0ca5ee0a74f26846cae725088026f50303 (diff) | |
| download | frameworks_av-86af210a9abd657f1f3b9571d347fa62e8ed85a1.zip frameworks_av-86af210a9abd657f1f3b9571d347fa62e8ed85a1.tar.gz frameworks_av-86af210a9abd657f1f3b9571d347fa62e8ed85a1.tar.bz2 | |
Fix Ogg album art
Bug: 23036083
Bug: https://code.google.com/p/android/issues/detail?id=182053
Change-Id: I1a5cbe06990900160c2addade238c1e9feab8f71
(cherry picked from commit c63cc509404b9328aedd1be3adc4e87cd07b4eb1)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/OggExtractor.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp index 5e79e78..073c53f 100644 --- a/media/libstagefright/OggExtractor.cpp +++ b/media/libstagefright/OggExtractor.cpp @@ -923,11 +923,12 @@ static void extractAlbumArt( } typeLen = U32_AT(&flac[4]); - if (typeLen + 1 > sizeof(type)) { + if (typeLen > sizeof(type) - 1) { goto exit; } - if (flacSize < 8 + typeLen) { + // we've already checked above that flacSize >= 8 + if (flacSize - 8 < typeLen) { goto exit; } @@ -943,13 +944,17 @@ static void extractAlbumArt( descLen = U32_AT(&flac[8 + typeLen]); - if (flacSize < 32 + typeLen + descLen) { + if (flacSize < 32 || + flacSize - 32 < typeLen || + flacSize - 32 - typeLen < descLen) { goto exit; } dataLen = U32_AT(&flac[8 + typeLen + 4 + descLen + 16]); - if (flacSize < 32 + typeLen + descLen + dataLen) { + + // we've already checked above that (flacSize - 32 - typeLen - descLen) >= 0 + if (flacSize - 32 - typeLen - descLen < dataLen) { goto exit; } |