diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-08-15 08:31:32 -0500 |
|---|---|---|
| committer | Steve Kondik <steve@cyngn.com> | 2016-03-22 17:14:35 -0700 |
| commit | 985e33c71917a8c7f3cc5bbb2bd0d1feb188c258 (patch) | |
| tree | 4e83fe330dc4fe321289953517419f627f548e6e /media/libstagefright/httplive | |
| parent | 429372d0c568768eb754e827cc63c2a486ced050 (diff) | |
| download | frameworks_av-985e33c71917a8c7f3cc5bbb2bd0d1feb188c258.zip frameworks_av-985e33c71917a8c7f3cc5bbb2bd0d1feb188c258.tar.gz frameworks_av-985e33c71917a8c7f3cc5bbb2bd0d1feb188c258.tar.bz2 | |
Prevent integer underflows in ID3::Iterator
If mFrameSize is less than or equal to getHeaderLength(), an integer underflow
will occur. This typically leads to a crash reading out of bounds in the
following code. Prevent this from happening by validating mFrameSize.
Also add NULL checks after references to ID3::Iterator::getData.
Bug: 23285887
Change-Id: I35eeda3c5349ebbd9ffb3ea49b79af6a940d1395
Diffstat (limited to 'media/libstagefright/httplive')
| -rw-r--r-- | media/libstagefright/httplive/PlaylistFetcher.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp index 52be368..b030e90 100644 --- a/media/libstagefright/httplive/PlaylistFetcher.cpp +++ b/media/libstagefright/httplive/PlaylistFetcher.cpp @@ -1911,6 +1911,9 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits( while (!it.done()) { size_t length; const uint8_t *data = it.getData(&length); + if (!data) { + return ERROR_MALFORMED; + } static const char *kMatchName = "com.apple.streaming.transportStreamTimestamp"; |