From 72ae58fdd991f50c084e615776cb5306825f7b19 Mon Sep 17 00:00:00 2001 From: Wei Jia Date: Wed, 12 Aug 2015 10:41:00 -0700 Subject: libstagefright: fix possible overflow in ID3. Bug: 23129786 Change-Id: I2e6b7a6927aa4362ab49dd6824bbb1abf7b4e661 (cherry picked from commit 09da86913ca97d7a818a8917b6601527e5e18a24) Tested-by: Wolfgang Wiedmeyer --- media/libstagefright/id3/ID3.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'media') diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 112f136..581f4be 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -283,7 +283,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { size_t oldSize = mSize; size_t offset = 0; - while (offset + 10 <= mSize) { + while (mSize >= 10 && offset <= mSize - 10) { if (!memcmp(&mData[offset], "\0\0\0\0", 4)) { break; } @@ -295,7 +295,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { return false; } - if (offset + dataSize + 10 > mSize) { + if (dataSize > mSize - 10 - offset) { return false; } @@ -305,6 +305,9 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { if (flags & 1) { // Strip data length indicator + if (mSize < 14 || mSize - 14 < offset) { + return false; + } memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14); mSize -= 4; dataSize -= 4; -- cgit v1.1