diff options
author | Nick Kralevich <nnk@google.com> | 2015-04-10 01:19:33 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-04-10 01:19:34 +0000 |
commit | 1c2dc0643141483cb7f90ee032845a1c38fe093a (patch) | |
tree | bdadb9b11ccab00490939806b0c8484c5d27e663 /media | |
parent | 3ab51eece858f1ebc4d9c4e10bb368620d6ad713 (diff) | |
parent | 07c0f59d6c48874982d2b5c713487612e5af465a (diff) | |
download | frameworks_av-1c2dc0643141483cb7f90ee032845a1c38fe093a.zip frameworks_av-1c2dc0643141483cb7f90ee032845a1c38fe093a.tar.gz frameworks_av-1c2dc0643141483cb7f90ee032845a1c38fe093a.tar.bz2 |
Merge "Fix integer underflow in ESDS processing"
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/ESDS.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/media/libstagefright/ESDS.cpp b/media/libstagefright/ESDS.cpp index 427bf7b..8fbb57c 100644 --- a/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/ESDS.cpp @@ -136,6 +136,8 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { --size; if (streamDependenceFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; } @@ -145,11 +147,15 @@ status_t ESDS::parseESDescriptor(size_t offset, size_t size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; + if (URLlength >= size) + return ERROR_MALFORMED; offset += URLlength + 1; size -= URLlength + 1; } if (OCRstreamFlag) { + if (size < 2) + return ERROR_MALFORMED; offset += 2; size -= 2; |