summaryrefslogtreecommitdiffstats
path: root/media
diff options
context:
space:
mode:
authorRobert Shih <robertshih@google.com>2015-08-24 16:06:16 +0000
committerAndroid Git Automerger <android-git-automerger@android.com>2015-08-24 16:06:16 +0000
commit7b06f9ba19a9945355d634ddafaaa351681b6f9b (patch)
tree2746d68470a048e6ce5b886fd9afac7351ad130b /media
parent76dea1de8c92588358923300cbbc038144d302eb (diff)
parentfa11fd5bb2e9c5e00f7fecbbe76c279193182cee (diff)
downloadframeworks_av-7b06f9ba19a9945355d634ddafaaa351681b6f9b.zip
frameworks_av-7b06f9ba19a9945355d634ddafaaa351681b6f9b.tar.gz
frameworks_av-7b06f9ba19a9945355d634ddafaaa351681b6f9b.tar.bz2
am fa11fd5b: resolved conflicts for merge of 327afffb to lmp-mr1-ub-dev
* commit 'fa11fd5bb2e9c5e00f7fecbbe76c279193182cee': Prevent integer issues in ID3::Iterator::findFrame
Diffstat (limited to 'media')
-rw-r--r--media/libstagefright/id3/ID3.cpp17
1 files changed, 16 insertions, 1 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 165d4d9..00f87aa 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -641,6 +641,11 @@ void ID3::Iterator::findFrame() {
}
mFrameSize += 6; // add tag id and size field
+ // Prevent integer overflow in validation
+ if (SIZE_MAX - mOffset <= mFrameSize) {
+ return;
+ }
+
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6);
@@ -670,7 +675,7 @@ void ID3::Iterator::findFrame() {
return;
}
- size_t baseSize;
+ size_t baseSize = 0;
if (mParent.mVersion == ID3_V2_4) {
if (!ParseSyncsafeInteger(
&mParent.mData[mOffset + 4], &baseSize)) {
@@ -684,8 +689,18 @@ void ID3::Iterator::findFrame() {
return;
}
+ // Prevent integer overflow when adding
+ if (SIZE_MAX - 10 <= baseSize) {
+ return;
+ }
+
mFrameSize = 10 + baseSize; // add tag id, size field and flags
+ // Prevent integer overflow in validation
+ if (SIZE_MAX - mOffset <= mFrameSize) {
+ return;
+ }
+
if (mOffset + mFrameSize > mParent.mSize) {
ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10);