diff options
author | Nick Kralevich <nnk@google.com> | 2015-04-10 23:16:02 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-04-10 23:16:03 +0000 |
commit | 6429079345404932c5be5956efc7154390d2ed0e (patch) | |
tree | 1de9424be4ec0eb26b27a6816a27aaafc254a77f /media/libstagefright | |
parent | 17b625b7f51b75fde6640c737474b8b2c51412bf (diff) | |
parent | 0e4e5a8c09c63548f2a00c77ab5038b7703384bc (diff) | |
download | frameworks_av-6429079345404932c5be5956efc7154390d2ed0e.zip frameworks_av-6429079345404932c5be5956efc7154390d2ed0e.tar.gz frameworks_av-6429079345404932c5be5956efc7154390d2ed0e.tar.bz2 |
Merge "Fix integer underflow in ESDS processing" into klp-dev
Diffstat (limited to 'media/libstagefright')
-rw-r--r-- | media/libstagefright/ESDS.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp index 4a0c35c..c76bc4a 100644 --- a/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/ESDS.cpp @@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { --size; if (streamDependenceFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; } @@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; + if (URLlength >= size) + return ERROR_MALFORMED; offset += URLlength + 1; size -= URLlength + 1; } if (OCRstreamFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; |