diff options
| author | Marco Nelissen <marcone@google.com> | 2015-08-07 14:32:40 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-07 14:32:40 +0000 |
| commit | 171b5fadb9d304f5e06686e4f3d060ef335d7250 (patch) | |
| tree | 8d45331766e9cb5c701db4a8ca4e51e89f1ac5ad | |
| parent | d8bb17e33ef33ce173fa2d096211785145d41921 (diff) | |
| parent | d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3 (diff) | |
| download | frameworks_av-171b5fadb9d304f5e06686e4f3d060ef335d7250.zip frameworks_av-171b5fadb9d304f5e06686e4f3d060ef335d7250.tar.gz frameworks_av-171b5fadb9d304f5e06686e4f3d060ef335d7250.tar.bz2 | |
am d6ea7f65: am f26400c9: Fix crash on malformed id3
* commit 'd6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3':
Fix crash on malformed id3
| -rw-r--r-- | include/media/stagefright/MetaData.h | 2 | ||||
| -rw-r--r-- | media/libstagefright/MetaData.cpp | 32 | ||||
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 6 |
3 files changed, 27 insertions, 13 deletions
diff --git a/include/media/stagefright/MetaData.h b/include/media/stagefright/MetaData.h index 087d016..3f42790 100644 --- a/include/media/stagefright/MetaData.h +++ b/include/media/stagefright/MetaData.h @@ -260,7 +260,7 @@ private: return mSize <= sizeof(u.reservoir); } - void allocateStorage(size_t size); + void *allocateStorage(size_t size); void freeStorage(); void *storage() { diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp index 7d867b7..1a11c1e 100644 --- a/media/libstagefright/MetaData.cpp +++ b/media/libstagefright/MetaData.cpp @@ -244,8 +244,11 @@ MetaData::typed_data::~typed_data() { MetaData::typed_data::typed_data(const typed_data &from) : mType(from.mType), mSize(0) { - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } MetaData::typed_data &MetaData::typed_data::operator=( @@ -253,8 +256,10 @@ MetaData::typed_data &MetaData::typed_data::operator=( if (this != &from) { clear(); mType = from.mType; - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } return *this; @@ -271,13 +276,11 @@ void MetaData::typed_data::setData( clear(); mType = type; - allocateStorage(size); - void *dst = storage(); - if (!dst) { - ALOGE("Couldn't allocate %zu bytes for item", size); - return; + + void *dst = allocateStorage(size); + if (dst) { + memcpy(dst, data, size); } - memcpy(dst, data, size); } void MetaData::typed_data::getData( @@ -287,14 +290,19 @@ void MetaData::typed_data::getData( *data = storage(); } -void MetaData::typed_data::allocateStorage(size_t size) { +void *MetaData::typed_data::allocateStorage(size_t size) { mSize = size; if (usesReservoir()) { - return; + return &u.reservoir; } u.ext_data = malloc(mSize); + if (u.ext_data == NULL) { + ALOGE("Couldn't allocate %zu bytes for item", size); + mSize = 0; + } + return u.ext_data; } void MetaData::typed_data::freeStorage() { diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 7f221a0..3ef175b 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -804,6 +804,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const { size_t descLen = StringSize(&data[2 + mimeLen], encoding); + if (size < 2 || + size - 2 < mimeLen || + size - 2 - mimeLen < descLen) { + ALOGW("bogus album art sizes"); + return NULL; + } *length = size - 2 - mimeLen - descLen; return &data[2 + mimeLen + descLen]; |