diff options
| author | Nick Kralevich <nnk@google.com> | 2015-04-10 23:16:02 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-04-10 23:16:03 +0000 |
| commit | 6429079345404932c5be5956efc7154390d2ed0e (patch) | |
| tree | 1de9424be4ec0eb26b27a6816a27aaafc254a77f | |
| parent | 17b625b7f51b75fde6640c737474b8b2c51412bf (diff) | |
| parent | 0e4e5a8c09c63548f2a00c77ab5038b7703384bc (diff) | |
| download | frameworks_av-6429079345404932c5be5956efc7154390d2ed0e.zip frameworks_av-6429079345404932c5be5956efc7154390d2ed0e.tar.gz frameworks_av-6429079345404932c5be5956efc7154390d2ed0e.tar.bz2 | |
Merge "Fix integer underflow in ESDS processing" into klp-dev
| -rw-r--r-- | media/libstagefright/ESDS.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp index 4a0c35c..c76bc4a 100644 --- a/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/ESDS.cpp @@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { --size; if (streamDependenceFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; } @@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; + if (URLlength >= size) + return ERROR_MALFORMED; offset += URLlength + 1; size -= URLlength + 1; } if (OCRstreamFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; |