diff options
| author | Robert Shih <robertshih@google.com> | 2015-08-22 01:33:50 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-22 01:33:50 +0000 |
| commit | 4bb4736eb6b5038385c2c0e8c28e4d2df9add929 (patch) | |
| tree | b227d7b36506459f5b90e4582c691cfbd3c0f34d /media | |
| parent | 07a2e912a89d0dc83a8e83b33a066ef3ae1a2333 (diff) | |
| parent | 4c6556d17f4073ed0b4d11abf42df9c32c339291 (diff) | |
| download | frameworks_av-4bb4736eb6b5038385c2c0e8c28e4d2df9add929.zip frameworks_av-4bb4736eb6b5038385c2c0e8c28e4d2df9add929.tar.gz frameworks_av-4bb4736eb6b5038385c2c0e8c28e4d2df9add929.tar.bz2 | |
am 4c6556d1: am 8cf3564d: am eecc406f: am 3b42241a: Merge "Prevent integer issues in ID3::Iterator::findFrame" into klp-dev
* commit '4c6556d17f4073ed0b4d11abf42df9c32c339291':
Prevent integer issues in ID3::Iterator::findFrame
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index fb3ae49..683c6ef 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -638,6 +638,11 @@ void ID3::Iterator::findFrame() { mFrameSize += 6; + // Prevent integer overflow in validation + if (SIZE_MAX - mOffset <= mFrameSize) { + return; + } + if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6); @@ -667,7 +672,7 @@ void ID3::Iterator::findFrame() { return; } - size_t baseSize; + size_t baseSize = 0; if (mParent.mVersion == ID3_V2_4) { if (!ParseSyncsafeInteger( &mParent.mData[mOffset + 4], &baseSize)) { @@ -677,7 +682,21 @@ void ID3::Iterator::findFrame() { baseSize = U32_AT(&mParent.mData[mOffset + 4]); } - mFrameSize = 10 + baseSize; + if (baseSize == 0) { + return; + } + + // Prevent integer overflow when adding + if (SIZE_MAX - 10 <= baseSize) { + return; + } + + mFrameSize = 10 + baseSize; // add tag id, size field and flags + + // Prevent integer overflow in validation + if (SIZE_MAX - mOffset <= mFrameSize) { + return; + } if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", |