Fix id3 parser crash

Bug: 18872896
Change-Id: I953f58f35a76590701234d5707e060499acfc069

1 files changed, 9 insertions, 2 deletions

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d8bfada..d9491d6 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -630,7 +630,10 @@ void ID3::Iterator::findFrame() {
                 | (mParent.mData[mOffset + 4] << 8)
                 | mParent.mData[mOffset + 5];
 
-            mFrameSize += 6;
+            if (mFrameSize == 0) {
+                return;
+            }
+            mFrameSize += 6; // add tag id and size field
 
             if (mOffset + mFrameSize > mParent.mSize) {
                 ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
@@ -671,7 +674,11 @@ void ID3::Iterator::findFrame() {
                 baseSize = U32_AT(&mParent.mData[mOffset + 4]);
             }
 
-            mFrameSize = 10 + baseSize;
+            if (baseSize == 0) {
+                return;
+            }
+
+            mFrameSize = 10 + baseSize; // add tag id, size field and flags
 
             if (mOffset + mFrameSize > mParent.mSize) {
                 ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",