summaryrefslogtreecommitdiffstats
path: root/media/libmediaplayerservice
diff options
context:
space:
mode:
authorRobert Shih <robertshih@google.com>2016-03-18 14:34:57 -0700
committerThe Android Automerger <android-build@google.com>2016-03-25 17:46:45 -0700
commita2d1d85726aa2a3126e9c331a8e00a8c319c9e2b (patch)
treeaa3d06685b76e6bac9056e4c56aa8bea3c58ae2b /media/libmediaplayerservice
parentb04aee833c5cfb6b31b8558350feb14bb1a0f353 (diff)
downloadframeworks_av-a2d1d85726aa2a3126e9c331a8e00a8c319c9e2b.zip
frameworks_av-a2d1d85726aa2a3126e9c331a8e00a8c319c9e2b.tar.gz
frameworks_av-a2d1d85726aa2a3126e9c331a8e00a8c319c9e2b.tar.bz2
NuPlayerStreamListener: NULL and bounds check before memcpy
Bug: 27533704 Change-Id: I992a7709b92b1cbc3114c97bec48a3fc5b22ba6e
Diffstat (limited to 'media/libmediaplayerservice')
-rw-r--r--media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp11
1 files changed, 10 insertions, 1 deletions
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
index f53afbd..ee70306 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
@@ -144,8 +144,17 @@ ssize_t NuPlayer::NuPlayerStreamListener::read(
copy = size;
}
+ if (entry->mIndex >= mBuffers.size()) {
+ return ERROR_MALFORMED;
+ }
+
+ sp<IMemory> mem = mBuffers.editItemAt(entry->mIndex);
+ if (mem == NULL || mem->size() < copy || mem->size() - copy < entry->mOffset) {
+ return ERROR_MALFORMED;
+ }
+
memcpy(data,
- (const uint8_t *)mBuffers.editItemAt(entry->mIndex)->pointer()
+ (const uint8_t *)mem->pointer()
+ entry->mOffset,
copy);
generated by cgit v1.1 at 2024-04-24 22:00:08 +0000