diff options
| author | Marco Nelissen <marcone@google.com> | 2015-08-07 14:47:48 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-07 14:47:48 +0000 |
| commit | dfaea255546340742b42c216663f61c6b7301c4f (patch) | |
| tree | 7e77aeb1072938040bab56ba4a9ed6b48c0a8473 /media | |
| parent | fbf1c8d65fe257847b35ec7289f9450ac34c8034 (diff) | |
| parent | 578d5b66fc9f5e36ca0cb19b21771aa85ec131ee (diff) | |
| download | frameworks_av-dfaea255546340742b42c216663f61c6b7301c4f.zip frameworks_av-dfaea255546340742b42c216663f61c6b7301c4f.tar.gz frameworks_av-dfaea255546340742b42c216663f61c6b7301c4f.tar.bz2 | |
am 578d5b66: am 171b5fad: am d6ea7f65: am f26400c9: Fix crash on malformed id3
* commit '578d5b66fc9f5e36ca0cb19b21771aa85ec131ee':
Fix crash on malformed id3
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/MetaData.cpp | 32 | ||||
| -rw-r--r-- | media/libstagefright/id3/ID3.cpp | 6 |
2 files changed, 26 insertions, 12 deletions
diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp index 7d867b7..1a11c1e 100644 --- a/media/libstagefright/MetaData.cpp +++ b/media/libstagefright/MetaData.cpp @@ -244,8 +244,11 @@ MetaData::typed_data::~typed_data() { MetaData::typed_data::typed_data(const typed_data &from) : mType(from.mType), mSize(0) { - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } MetaData::typed_data &MetaData::typed_data::operator=( @@ -253,8 +256,10 @@ MetaData::typed_data &MetaData::typed_data::operator=( if (this != &from) { clear(); mType = from.mType; - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } return *this; @@ -271,13 +276,11 @@ void MetaData::typed_data::setData( clear(); mType = type; - allocateStorage(size); - void *dst = storage(); - if (!dst) { - ALOGE("Couldn't allocate %zu bytes for item", size); - return; + + void *dst = allocateStorage(size); + if (dst) { + memcpy(dst, data, size); } - memcpy(dst, data, size); } void MetaData::typed_data::getData( @@ -287,14 +290,19 @@ void MetaData::typed_data::getData( *data = storage(); } -void MetaData::typed_data::allocateStorage(size_t size) { +void *MetaData::typed_data::allocateStorage(size_t size) { mSize = size; if (usesReservoir()) { - return; + return &u.reservoir; } u.ext_data = malloc(mSize); + if (u.ext_data == NULL) { + ALOGE("Couldn't allocate %zu bytes for item", size); + mSize = 0; + } + return u.ext_data; } void MetaData::typed_data::freeStorage() { diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index 7f221a0..3ef175b 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -804,6 +804,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const { size_t descLen = StringSize(&data[2 + mimeLen], encoding); + if (size < 2 || + size - 2 < mimeLen || + size - 2 - mimeLen < descLen) { + ALOGW("bogus album art sizes"); + return NULL; + } *length = size - 2 - mimeLen - descLen; return &data[2 + mimeLen + descLen]; |