diff options
| author | Joshua J. Drake <android-open-source@qoop.org> | 2015-05-04 17:33:49 -0500 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2015-05-07 15:44:55 -0700 |
| commit | 5cea0155cfc41f67e91343c342f44251c03fde3a (patch) | |
| tree | 8b4f834103d9b2e3db98d4a83c3cb11374a2e8e5 /media | |
| parent | 3f4431e97376b8a315ad8862724e1e1fb34c9292 (diff) | |
| download | frameworks_av-5cea0155cfc41f67e91343c342f44251c03fde3a.zip frameworks_av-5cea0155cfc41f67e91343c342f44251c03fde3a.tar.gz frameworks_av-5cea0155cfc41f67e91343c342f44251c03fde3a.tar.bz2 | |
Prevent reading past the end of the buffer in 3GPP
Metadata processed within the parse3GPPMetaData function may not be NUL
terminated and thus calling setCString may read out of bounds. Ensure
proper NUL termination, but take care not to interfere with other special
cases (ie, albm).
Bug: 20923261
Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 6573afc..1f1d751 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2605,11 +2605,11 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) { } status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) { - if (size < 4) { + if (size < 4 || size == SIZE_MAX) { return ERROR_MALFORMED; } - uint8_t *buffer = new (std::nothrow) uint8_t[size]; + uint8_t *buffer = new (std::nothrow) uint8_t[size + 1]; if (buffer == NULL) { return ERROR_MALFORMED; } @@ -2701,6 +2701,7 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept } if (isUTF8) { + buffer[size] = 0; mFileMetaData->setCString(metadataKey, (const char *)buffer + 6); } else { // Convert from UTF-16 string to UTF-8 string. |