summaryrefslogtreecommitdiffstats
path: root/media/libstagefright/OggExtractor.cpp
diff options
context:
space:
mode:
authorMarco Nelissen <marcone@google.com>2015-08-06 08:03:47 -0700
committerMarco Nelissen <marcone@google.com>2015-08-07 19:35:25 +0000
commitc63cc509404b9328aedd1be3adc4e87cd07b4eb1 (patch)
tree65df03d3585206215f2dcf8a1f45a664a39436e8 /media/libstagefright/OggExtractor.cpp
parent821b6c29d3d5782ae17aedc77f406c9eaf2ab2fb (diff)
downloadframeworks_av-c63cc509404b9328aedd1be3adc4e87cd07b4eb1.zip
frameworks_av-c63cc509404b9328aedd1be3adc4e87cd07b4eb1.tar.gz
frameworks_av-c63cc509404b9328aedd1be3adc4e87cd07b4eb1.tar.bz2
Fix Ogg album art
Bug: 23036083 Bug: https://code.google.com/p/android/issues/detail?id=182053 Change-Id: I1a5cbe06990900160c2addade238c1e9feab8f71
Diffstat (limited to 'media/libstagefright/OggExtractor.cpp')
-rw-r--r--media/libstagefright/OggExtractor.cpp13
1 files changed, 9 insertions, 4 deletions
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 1c663a3..6fba8e1 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp
@@ -1299,11 +1299,12 @@ static void extractAlbumArt(
}
typeLen = U32_AT(&flac[4]);
- if (typeLen + 1 > sizeof(type)) {
+ if (typeLen > sizeof(type) - 1) {
goto exit;
}
- if (flacSize < 8 + typeLen) {
+ // we've already checked above that flacSize >= 8
+ if (flacSize - 8 < typeLen) {
goto exit;
}
@@ -1319,13 +1320,17 @@ static void extractAlbumArt(
descLen = U32_AT(&flac[8 + typeLen]);
- if (flacSize < 32 + typeLen + descLen) {
+ if (flacSize < 32 ||
+ flacSize - 32 < typeLen ||
+ flacSize - 32 - typeLen < descLen) {
goto exit;
}
dataLen = U32_AT(&flac[8 + typeLen + 4 + descLen + 16]);
- if (flacSize < 32 + typeLen + descLen + dataLen) {
+
+ // we've already checked above that (flacSize - 32 - typeLen - descLen) >= 0
+ if (flacSize - 32 - typeLen - descLen < dataLen) {
goto exit;
}
generated by cgit v1.1 at 2024-05-15 13:50:20 +0000