From e707ee311a688bfcfced3f5b9160a58ca6de95c9 Mon Sep 17 00:00:00 2001
From: Neel Mehta <nmehta@google.com>
Date: Fri, 14 Aug 2015 17:38:48 -0700
Subject: Fix for memory corruption in ID3::removeUnsynchronizationV2_4(). Bug:
 23227354

Change-Id: Iaa36cfda4fd84ca7e039f56086fd61b4118020db
(cherry picked from commit 77e23413a539df16503e356bd4df4a952f3abc47)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
---
 media/libstagefright/id3/ID3.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 581f4be..052e0a3 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -305,7 +305,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
         if (flags & 1) {
             // Strip data length indicator
 
-            if (mSize < 14 || mSize - 14 < offset) {
+            if (mSize < 14 || mSize - 14 < offset || dataSize < 4) {
                 return false;
             }
             memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
-- 
cgit v1.1