diff options
| author | Marco Nelissen <marcone@google.com> | 2015-08-07 14:25:10 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-07 14:25:10 +0000 |
| commit | d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3 (patch) | |
| tree | b62ef0d8d86dd5a159fda3997b7b7369ced8a96c | |
| parent | 42bd61d73e8b4d0b1101e73324a59fde51077112 (diff) | |
| parent | f26400c9d01a0e2f71690d5ebc644270f098d590 (diff) | |
| download | frameworks_av-d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3.zip frameworks_av-d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3.tar.gz frameworks_av-d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3.tar.bz2 | |
am f26400c9: Fix crash on malformed id3
* commit 'f26400c9d01a0e2f71690d5ebc644270f098d590':
Fix crash on malformed id3
| -rw-r--r-- | include/media/stagefright/MetaData.h | 2 | ||||
| -rw-r--r-- | media/libstagefright/MetaData.cpp | 32 | ||||
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 6 |
3 files changed, 27 insertions, 13 deletions
diff --git a/include/media/stagefright/MetaData.h b/include/media/stagefright/MetaData.h index db8216b..f51c12d 100644 --- a/include/media/stagefright/MetaData.h +++ b/include/media/stagefright/MetaData.h @@ -248,7 +248,7 @@ private: return mSize <= sizeof(u.reservoir); } - void allocateStorage(size_t size); + void *allocateStorage(size_t size); void freeStorage(); void *storage() { diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp index cfc5f19..725f97e 100644 --- a/media/libstagefright/MetaData.cpp +++ b/media/libstagefright/MetaData.cpp @@ -243,8 +243,11 @@ MetaData::typed_data::~typed_data() { MetaData::typed_data::typed_data(const typed_data &from) : mType(from.mType), mSize(0) { - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } MetaData::typed_data &MetaData::typed_data::operator=( @@ -252,8 +255,10 @@ MetaData::typed_data &MetaData::typed_data::operator=( if (this != &from) { clear(); mType = from.mType; - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } return *this; @@ -270,13 +275,11 @@ void MetaData::typed_data::setData( clear(); mType = type; - allocateStorage(size); - void *dst = storage(); - if (!dst) { - ALOGE("Couldn't allocate %zu bytes for item", size); - return; + + void *dst = allocateStorage(size); + if (dst) { + memcpy(dst, data, size); } - memcpy(dst, data, size); } void MetaData::typed_data::getData( @@ -286,14 +289,19 @@ void MetaData::typed_data::getData( *data = storage(); } -void MetaData::typed_data::allocateStorage(size_t size) { +void *MetaData::typed_data::allocateStorage(size_t size) { mSize = size; if (usesReservoir()) { - return; + return &u.reservoir; } u.ext_data = malloc(mSize); + if (u.ext_data == NULL) { + ALOGE("Couldn't allocate %zu bytes for item", size); + mSize = 0; + } + return u.ext_data; } void MetaData::typed_data::freeStorage() { diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 1ec4a40..461bf6e 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -825,6 +825,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const { size_t descLen = StringSize(&data[2 + mimeLen], encoding); + if (size < 2 || + size - 2 < mimeLen || + size - 2 - mimeLen < descLen) { + ALOGW("bogus album art sizes"); + return NULL; + } *length = size - 2 - mimeLen - descLen; return &data[2 + mimeLen + descLen]; |