diff options
author | Robert Shih <robertshih@google.com> | 2015-08-24 08:36:50 -0700 |
---|---|---|
committer | Robert Shih <robertshih@google.com> | 2015-08-24 08:36:50 -0700 |
commit | fa11fd5bb2e9c5e00f7fecbbe76c279193182cee (patch) | |
tree | 500f0f9272264d34602d7942943af7a7e21c5b9a /media/libstagefright/id3 | |
parent | 47b90fe20d6ea9409c7009926c60fa33985f4211 (diff) | |
parent | 327afffb24c8baaf77f42cbbeb9aca25eddee7b4 (diff) | |
download | frameworks_av-fa11fd5bb2e9c5e00f7fecbbe76c279193182cee.zip frameworks_av-fa11fd5bb2e9c5e00f7fecbbe76c279193182cee.tar.gz frameworks_av-fa11fd5bb2e9c5e00f7fecbbe76c279193182cee.tar.bz2 |
resolved conflicts for merge of 327afffb to lmp-mr1-ub-dev
Change-Id: I6c1369f05bbeb83e2152b8dae35f7a53328f7239
Diffstat (limited to 'media/libstagefright/id3')
-rw-r--r-- | media/libstagefright/id3/ID3.cpp | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 165d4d9..00f87aa 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -641,6 +641,11 @@ void ID3::Iterator::findFrame() { } mFrameSize += 6; // add tag id and size field + // Prevent integer overflow in validation + if (SIZE_MAX - mOffset <= mFrameSize) { + return; + } + if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6); @@ -670,7 +675,7 @@ void ID3::Iterator::findFrame() { return; } - size_t baseSize; + size_t baseSize = 0; if (mParent.mVersion == ID3_V2_4) { if (!ParseSyncsafeInteger( &mParent.mData[mOffset + 4], &baseSize)) { @@ -684,8 +689,18 @@ void ID3::Iterator::findFrame() { return; } + // Prevent integer overflow when adding + if (SIZE_MAX - 10 <= baseSize) { + return; + } + mFrameSize = 10 + baseSize; // add tag id, size field and flags + // Prevent integer overflow in validation + if (SIZE_MAX - mOffset <= mFrameSize) { + return; + } + if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10); |