better validation lengths of strings in ID3 tags

Validate lengths on strings in ID3 tags, particularly around 0. Also added code to handle cases when we can't get memory for copies of strings we want to extract from these tags. Affects L/M/N/master, same patch for all of them. Bug: 30744884 Change-Id: I2675a817a39f0927ec1f7e9f9c09f2e61020311e Test: play mp3 file which caused a <0 length. (cherry picked from commit d23c01546c4f82840a01a380def76ab6cae5d43f)
author: Ray Essick <essick@google.com> 2016-08-16 14:24:43 -0700
committer: gitbuildkicker <android-build@google.com> 2016-08-26 16:20:40 -0700
commit: dda9d703d7dd2129ff6242fae84ca156caa38632 (patch)
tree: adcda6af2974360d66a3ebdcbb5ffa4dd93d84bc /media/libstagefright
parent: b569311fe413fef4f35114f00485340cc6e322ee (diff)
download: frameworks_av-dda9d703d7dd2129ff6242fae84ca156caa38632.zip
frameworks_av-dda9d703d7dd2129ff6242fae84ca156caa38632.tar.gz
frameworks_av-dda9d703d7dd2129ff6242fae84ca156caa38632.tar.bz2
1 files changed, 42 insertions, 15 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 4410579..6e14197 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -77,7 +77,10 @@ ID3::ID3(const uint8_t *data, size_t size, bool ignoreV1)
       mFirstFrameOffset(0),
       mVersion(ID3_UNKNOWN),
       mRawSize(0) {
-    sp<MemorySource> source = new MemorySource(data, size);
+    sp<MemorySource> source = new (std::nothrow) MemorySource(data, size);
+
+    if (source == NULL)
+        return;
 
     mIsValid = parseV2(source, 0);
 
@@ -542,6 +545,10 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
         n -= skipped;
     }
 
+    if (n <= 0) {
+       return;
+    }
+
     if (encoding == 0x00) {
         // supposedly ISO 8859-1
         id->setTo((const char*)frameData + 1, n);
@@ -555,11 +562,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
         const char16_t *framedata = (const char16_t *) (frameData + 1);
         char16_t *framedatacopy = NULL;
 #if BYTE_ORDER == LITTLE_ENDIAN
-        framedatacopy = new char16_t[len];
-        for (int i = 0; i < len; i++) {
-            framedatacopy[i] = bswap_16(framedata[i]);
+        if (len > 0) {
+            framedatacopy = new (std::nothrow) char16_t[len];
+            if (framedatacopy == NULL) {
+                return;
+            }
+            for (int i = 0; i < len; i++) {
+                framedatacopy[i] = bswap_16(framedata[i]);
+            }
+            framedata = framedatacopy;
         }
-        framedata = framedatacopy;
 #endif
         id->setTo(framedata, len);
         if (framedatacopy != NULL) {
@@ -572,15 +584,26 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
         const char16_t *framedata = (const char16_t *) (frameData + 1);
         char16_t *framedatacopy = NULL;
         if (*framedata == 0xfffe) {
-            // endianness marker doesn't match host endianness, convert
-            framedatacopy = new char16_t[len];
+            // endianness marker != host endianness, convert & skip
+            if (len <= 1) {
+                return;         // nothing after the marker
+            }
+            framedatacopy = new (std::nothrow) char16_t[len];
+            if (framedatacopy == NULL) {
+                return;
+            }
             for (int i = 0; i < len; i++) {
                 framedatacopy[i] = bswap_16(framedata[i]);
             }
             framedata = framedatacopy;
-        }
-        // If the string starts with an endianness marker, skip it
-        if (*framedata == 0xfeff) {
+            // and skip over the marker
+            framedata++;
+            len--;
+        } else if (*framedata == 0xfeff) {
+            // endianness marker == host endianness, skip it
+            if (len <= 1) {
+                return;         // nothing after the marker
+            }
             framedata++;
             len--;
         }
@@ -595,12 +618,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
         }
         if (eightBit) {
             // collapse to 8 bit, then let the media scanner client figure out the real encoding
-            char *frame8 = new char[len];
-            for (int i = 0; i < len; i++) {
-                frame8[i] = framedata[i];
+            char *frame8 = new (std::nothrow) char[len];
+            if (frame8 != NULL) {
+                for (int i = 0; i < len; i++) {
+                    frame8[i] = framedata[i];
+                }
+                id->setTo(frame8, len);
+                delete [] frame8;
+            } else {
+                id->setTo(framedata, len);
             }
-            id->setTo(frame8, len);
-            delete [] frame8;
         } else {
             id->setTo(framedata, len);
         }
author	Ray Essick <essick@google.com>	2016-08-16 14:24:43 -0700
committer	gitbuildkicker <android-build@google.com>	2016-08-26 16:20:40 -0700
commit	dda9d703d7dd2129ff6242fae84ca156caa38632 (patch)
tree	adcda6af2974360d66a3ebdcbb5ffa4dd93d84bc /media/libstagefright
parent	b569311fe413fef4f35114f00485340cc6e322ee (diff)
download	frameworks_av-dda9d703d7dd2129ff6242fae84ca156caa38632.zip frameworks_av-dda9d703d7dd2129ff6242fae84ca156caa38632.tar.gz frameworks_av-dda9d703d7dd2129ff6242fae84ca156caa38632.tar.bz2