diff options
| author | Wei Jia <wjia@google.com> | 2015-08-13 17:07:48 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-13 17:07:48 +0000 |
| commit | f66b81e7c05f62105e7a8deefeaf395b28cb4bb3 (patch) | |
| tree | eb3b056051d4aee682ae9ca7dd7768c2dc6529a5 /media/libstagefright/id3 | |
| parent | f86b266c14d61887b91ba4cfd5e9531877ee455a (diff) | |
| parent | f22da1cf931bb9ae5d964106a138672ebb04fc02 (diff) | |
| download | frameworks_av-f66b81e7c05f62105e7a8deefeaf395b28cb4bb3.zip frameworks_av-f66b81e7c05f62105e7a8deefeaf395b28cb4bb3.tar.gz frameworks_av-f66b81e7c05f62105e7a8deefeaf395b28cb4bb3.tar.bz2 | |
am f22da1cf: am d7146ce7: am 3bb658ac: am 4e86a483: am f51115bd: libstagefright: fix possible overflow in ID3.
* commit 'f22da1cf931bb9ae5d964106a138672ebb04fc02':
libstagefright: fix possible overflow in ID3.
Diffstat (limited to 'media/libstagefright/id3')
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 3ef175b..894a9c9 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -327,7 +327,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { size_t oldSize = mSize; size_t offset = 0; - while (offset + 10 <= mSize) { + while (mSize >= 10 && offset <= mSize - 10) { if (!memcmp(&mData[offset], "\0\0\0\0", 4)) { break; } @@ -339,7 +339,7 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { return false; } - if (offset + dataSize + 10 > mSize) { + if (dataSize > mSize - 10 - offset) { return false; } @@ -349,6 +349,9 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { if (flags & 1) { // Strip data length indicator + if (mSize < 14 || mSize - 14 < offset) { + return false; + } memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14); mSize -= 4; dataSize -= 4; |