summaryrefslogtreecommitdiffstats
path: root/media/libstagefright/id3
diff options
context:
space:
mode:
authorMarco Nelissen <marcone@google.com>2015-01-15 14:11:19 -0800
committerMarco Nelissen <marcone@google.com>2015-01-15 14:14:44 -0800
commitba6e982635f11bced34897f4317cbe8ff1c89483 (patch)
treee0b67a8756635bfa7022a686f7530fbcd9004fda /media/libstagefright/id3
parent724b9ea51db0c191cc3184319719a38b5a1f6502 (diff)
downloadframeworks_av-ba6e982635f11bced34897f4317cbe8ff1c89483.zip
frameworks_av-ba6e982635f11bced34897f4317cbe8ff1c89483.tar.gz
frameworks_av-ba6e982635f11bced34897f4317cbe8ff1c89483.tar.bz2
Fix id3 parser crash
Bug: 18872896 Change-Id: I953f58f35a76590701234d5707e060499acfc069
Diffstat (limited to 'media/libstagefright/id3')
-rw-r--r--media/libstagefright/id3/ID3.cpp11
1 files changed, 9 insertions, 2 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d8bfada..d9491d6 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -630,7 +630,10 @@ void ID3::Iterator::findFrame() {
| (mParent.mData[mOffset + 4] << 8)
| mParent.mData[mOffset + 5];
- mFrameSize += 6;
+ if (mFrameSize == 0) {
+ return;
+ }
+ mFrameSize += 6; // add tag id and size field
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
@@ -671,7 +674,11 @@ void ID3::Iterator::findFrame() {
baseSize = U32_AT(&mParent.mData[mOffset + 4]);
}
- mFrameSize = 10 + baseSize;
+ if (baseSize == 0) {
+ return;
+ }
+
+ mFrameSize = 10 + baseSize; // add tag id, size field and flags
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
generated by cgit v1.1 at 2024-05-13 20:47:57 +0000