summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorJoshua J. Drake <android-open-source@qoop.org>2015-05-04 17:33:49 -0500
committerNick Kralevich <nnk@google.com>2015-05-07 15:44:55 -0700
commit5cea0155cfc41f67e91343c342f44251c03fde3a (patch)
tree8b4f834103d9b2e3db98d4a83c3cb11374a2e8e5 /media
parent3f4431e97376b8a315ad8862724e1e1fb34c9292 (diff)
downloadframeworks_av-5cea0155cfc41f67e91343c342f44251c03fde3a.zip
frameworks_av-5cea0155cfc41f67e91343c342f44251c03fde3a.tar.gz
frameworks_av-5cea0155cfc41f67e91343c342f44251c03fde3a.tar.bz2
Prevent reading past the end of the buffer in 3GPP
Metadata processed within the parse3GPPMetaData function may not be NUL terminated and thus calling setCString may read out of bounds. Ensure proper NUL termination, but take care not to interfere with other special cases (ie, albm). Bug: 20923261 Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324
Diffstat (limited to 'media')
-rw-r--r--media/libstagefright/MPEG4Extractor.cpp5
1 files changed, 3 insertions, 2 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 6573afc..1f1d751 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2605,11 +2605,11 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) {
}
status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) {
- if (size < 4) {
+ if (size < 4 || size == SIZE_MAX) {
return ERROR_MALFORMED;
}
- uint8_t *buffer = new (std::nothrow) uint8_t[size];
+ uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
if (buffer == NULL) {
return ERROR_MALFORMED;
}
@@ -2701,6 +2701,7 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept
}
if (isUTF8) {
+ buffer[size] = 0;
mFileMetaData->setCString(metadataKey, (const char *)buffer + 6);
} else {
// Convert from UTF-16 string to UTF-8 string.