Fix for memory corruption in ID3::removeUnsynchronizationV2_4().

Bug: 23227354 Change-Id: Iaa36cfda4fd84ca7e039f56086fd61b4118020db (cherry picked from commit 77e23413a539df16503e356bd4df4a952f3abc47)
author: Neel Mehta <nmehta@google.com> 2015-08-14 17:38:48 -0700
committer: Abhishek Arya <aarya@google.com> 2015-08-18 02:12:26 +0000
commit: c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b (patch)
tree: b29d7f3b35fcb42b4d696b2a1a68399e2758e52c /media/libstagefright/id3
parent: deba0610c89d54390c9d2d0a0f3b79fd7679779c (diff)
download: frameworks_av-c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b.zip
frameworks_av-c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b.tar.gz
frameworks_av-c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index c3fb9bd..751b810 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -349,7 +349,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
         if (flags & 1) {
             // Strip data length indicator
 
-            if (mSize < 14 || mSize - 14 < offset) {
+            if (mSize < 14 || mSize - 14 < offset || dataSize < 4) {
                 return false;
             }
             memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
author	Neel Mehta <nmehta@google.com>	2015-08-14 17:38:48 -0700
committer	Abhishek Arya <aarya@google.com>	2015-08-18 02:12:26 +0000
commit	c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b (patch)
tree	b29d7f3b35fcb42b4d696b2a1a68399e2758e52c /media/libstagefright/id3
parent	deba0610c89d54390c9d2d0a0f3b79fd7679779c (diff)
download	frameworks_av-c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b.zip frameworks_av-c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b.tar.gz frameworks_av-c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c3b.tar.bz2