diff options
| author | Wei Jia <wjia@google.com> | 2015-06-12 16:29:18 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-06-12 16:29:18 +0000 |
| commit | 3056e554741facd48cec8247790bb091d574972f (patch) | |
| tree | cd887cc90841c38903596ca68d5f3bb57a57ee57 /media | |
| parent | acf52af62fcf14d18e4a557319a7307b7ed02c94 (diff) | |
| parent | c1768c9dae4e4ad1f92759c9c981d2d6e5bd29d6 (diff) | |
| download | frameworks_av-3056e554741facd48cec8247790bb091d574972f.zip frameworks_av-3056e554741facd48cec8247790bb091d574972f.tar.gz frameworks_av-3056e554741facd48cec8247790bb091d574972f.tar.bz2 | |
am c1768c9d: am 268b9692: am 9a4da6b1: am c98f2a0a: am e0095a19: am 86174e2c: Merge "Prevent reading past the end of the buffer in 3GPP" into lmp-dev
* commit 'c1768c9dae4e4ad1f92759c9c981d2d6e5bd29d6':
Prevent reading past the end of the buffer in 3GPP
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index bb08513..c463b76 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2403,11 +2403,11 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) { } status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) { - if (size < 4) { + if (size < 4 || size == SIZE_MAX) { return ERROR_MALFORMED; } - uint8_t *buffer = new (std::nothrow) uint8_t[size]; + uint8_t *buffer = new (std::nothrow) uint8_t[size + 1]; if (buffer == NULL) { return ERROR_MALFORMED; } @@ -2503,6 +2503,7 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept } if (isUTF8) { + buffer[size] = 0; mFileMetaData->setCString(metadataKey, (const char *)buffer + 6); } else { // Convert from UTF-16 string to UTF-8 string. |