MPEG4Extractor: ensure buffer size is not less than 8 for LastCommentData.

Bug: 24346430 Change-Id: I897a724e968841d9160f819d06c0ce22f6d743c4
author: Wei Jia <wjia@google.com> 2015-09-28 14:50:47 -0700
committer: Wei Jia <wjia@google.com> 2015-10-02 11:10:22 -0700
commit: 5cae16bdce77b0a3ba590b55637f7d55a2f35402 (patch)
tree: 937cc1cd378e3e3200878f673f9a39f0f816f944 /media/libstagefright/MPEG4Extractor.cpp
parent: a9a899d3970f41162c8e9c720bf05f3e6226a90a (diff)
download: frameworks_av-5cae16bdce77b0a3ba590b55637f7d55a2f35402.zip
frameworks_av-5cae16bdce77b0a3ba590b55637f7d55a2f35402.tar.gz
frameworks_av-5cae16bdce77b0a3ba590b55637f7d55a2f35402.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 38ae6f3..4e12c07 100755
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2564,6 +2564,12 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) {
                     mLastCommentName.setTo((const char *)buffer + 4);
                     break;
                 case FOURCC('d', 'a', 't', 'a'):
+                    if (size < 8) {
+                        delete[] buffer;
+                        buffer = NULL;
+                        ALOGE("b/24346430");
+                        return ERROR_MALFORMED;
+                    }
                     mLastCommentData.setTo((const char *)buffer + 8);
                     break;
             }
author	Wei Jia <wjia@google.com>	2015-09-28 14:50:47 -0700
committer	Wei Jia <wjia@google.com>	2015-10-02 11:10:22 -0700
commit	5cae16bdce77b0a3ba590b55637f7d55a2f35402 (patch)
tree	937cc1cd378e3e3200878f673f9a39f0f816f944 /media/libstagefright/MPEG4Extractor.cpp
parent	a9a899d3970f41162c8e9c720bf05f3e6226a90a (diff)
download	frameworks_av-5cae16bdce77b0a3ba590b55637f7d55a2f35402.zip frameworks_av-5cae16bdce77b0a3ba590b55637f7d55a2f35402.tar.gz frameworks_av-5cae16bdce77b0a3ba590b55637f7d55a2f35402.tar.bz2