diff options
author | Marco Nelissen <marcone@google.com> | 2015-08-07 16:36:08 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-07 16:36:08 +0000 |
commit | e0e37e13bc9e62e58484d1e54e66eaf506744548 (patch) | |
tree | 004b73ebbe0fdfb5ff41d6f340e0274f6b34512c /media | |
parent | 821b6c29d3d5782ae17aedc77f406c9eaf2ab2fb (diff) | |
parent | 48192b84db39879e7d83a2f4e7023048fb81ee8e (diff) | |
download | frameworks_av-e0e37e13bc9e62e58484d1e54e66eaf506744548.zip frameworks_av-e0e37e13bc9e62e58484d1e54e66eaf506744548.tar.gz frameworks_av-e0e37e13bc9e62e58484d1e54e66eaf506744548.tar.bz2 |
am 48192b84: am 0625841d: am dfaea255: am 578d5b66: am 171b5fad: am d6ea7f65: am f26400c9: Fix crash on malformed id3
* commit '48192b84db39879e7d83a2f4e7023048fb81ee8e':
Fix crash on malformed id3
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/MetaData.cpp | 32 | ||||
-rw-r--r-- | media/libstagefright/id3/ID3.cpp | 6 |
2 files changed, 26 insertions, 12 deletions
diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp index 7d867b7..1a11c1e 100644 --- a/media/libstagefright/MetaData.cpp +++ b/media/libstagefright/MetaData.cpp @@ -244,8 +244,11 @@ MetaData::typed_data::~typed_data() { MetaData::typed_data::typed_data(const typed_data &from) : mType(from.mType), mSize(0) { - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } MetaData::typed_data &MetaData::typed_data::operator=( @@ -253,8 +256,10 @@ MetaData::typed_data &MetaData::typed_data::operator=( if (this != &from) { clear(); mType = from.mType; - allocateStorage(from.mSize); - memcpy(storage(), from.storage(), mSize); + void *dst = allocateStorage(from.mSize); + if (dst) { + memcpy(dst, from.storage(), mSize); + } } return *this; @@ -271,13 +276,11 @@ void MetaData::typed_data::setData( clear(); mType = type; - allocateStorage(size); - void *dst = storage(); - if (!dst) { - ALOGE("Couldn't allocate %zu bytes for item", size); - return; + + void *dst = allocateStorage(size); + if (dst) { + memcpy(dst, data, size); } - memcpy(dst, data, size); } void MetaData::typed_data::getData( @@ -287,14 +290,19 @@ void MetaData::typed_data::getData( *data = storage(); } -void MetaData::typed_data::allocateStorage(size_t size) { +void *MetaData::typed_data::allocateStorage(size_t size) { mSize = size; if (usesReservoir()) { - return; + return &u.reservoir; } u.ext_data = malloc(mSize); + if (u.ext_data == NULL) { + ALOGE("Couldn't allocate %zu bytes for item", size); + mSize = 0; + } + return u.ext_data; } void MetaData::typed_data::freeStorage() { diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index d9491d6..38ba844 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -811,6 +811,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const { size_t descLen = StringSize(&data[2 + mimeLen], encoding); + if (size < 2 || + size - 2 < mimeLen || + size - 2 - mimeLen < descLen) { + ALOGW("bogus album art sizes"); + return NULL; + } *length = size - 2 - mimeLen - descLen; return &data[2 + mimeLen + descLen]; |