diff options
author | Mike Lockwood <lockwood@android.com> | 2010-11-30 12:16:58 -0500 |
---|---|---|
committer | Mike Lockwood <lockwood@android.com> | 2010-11-30 12:19:41 -0500 |
commit | 1d34b4b921cdac91116e456d97b57a1931e9e335 (patch) | |
tree | 735567f60688e6e677acb1fe941b64a234990ee0 /media/mtp | |
parent | 841af895d7f5051b9e96899710dba8d3fe2af1f2 (diff) | |
download | frameworks_av-1d34b4b921cdac91116e456d97b57a1931e9e335.zip frameworks_av-1d34b4b921cdac91116e456d97b57a1931e9e335.tar.gz frameworks_av-1d34b4b921cdac91116e456d97b57a1931e9e335.tar.bz2 |
MTP: Make sure buffer is big enough before reading the data packet
Fixes buffer overflow when transferring large playlists.
Change-Id: I1b7feaf9e56d849e5b6609f0f68a6aa5a3ae1ea8
Signed-off-by: Mike Lockwood <lockwood@android.com>
Diffstat (limited to 'media/mtp')
-rw-r--r-- | media/mtp/MtpDataPacket.cpp | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/media/mtp/MtpDataPacket.cpp b/media/mtp/MtpDataPacket.cpp index e1d1a92..eac1f7e 100644 --- a/media/mtp/MtpDataPacket.cpp +++ b/media/mtp/MtpDataPacket.cpp @@ -351,6 +351,7 @@ int MtpDataPacket::read(int fd) { return -1; // then the following data int total = MtpPacket::getUInt32(MTP_CONTAINER_LENGTH_OFFSET); + allocate(total); int remaining = total - MTP_CONTAINER_HEADER_SIZE; ret = ::read(fd, &mBuffer[0] + MTP_CONTAINER_HEADER_SIZE, remaining); if (ret != remaining) |