diff options
| author | Marco Nelissen <marcone@google.com> | 2015-08-08 03:19:34 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-08-08 03:19:34 +0000 |
| commit | f647c38a3e4b065fc26d0a8bb55071dae1028ac2 (patch) | |
| tree | 73ae2b98853f00749c5a1a3471a292a560f05823 /media | |
| parent | b3adb709bd278004de5764ce45b51140aefcc4c8 (diff) | |
| parent | 648ec9da3bcf1b9b47f2abf6bfcb2fdf54db7b09 (diff) | |
| download | frameworks_av-f647c38a3e4b065fc26d0a8bb55071dae1028ac2.zip frameworks_av-f647c38a3e4b065fc26d0a8bb55071dae1028ac2.tar.gz frameworks_av-f647c38a3e4b065fc26d0a8bb55071dae1028ac2.tar.bz2 | |
am 648ec9da: am 92b5c47a: am 32739430: am fbf55d85: am 80c17e0d: am 450e1015: Fix Ogg album art
* commit '648ec9da3bcf1b9b47f2abf6bfcb2fdf54db7b09':
Fix Ogg album art
Diffstat (limited to 'media')
| -rw-r--r-- | media/libstagefright/OggExtractor.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp index 6e32494..976763c 100644 --- a/media/libstagefright/OggExtractor.cpp +++ b/media/libstagefright/OggExtractor.cpp @@ -973,11 +973,12 @@ static void extractAlbumArt( } typeLen = U32_AT(&flac[4]); - if (typeLen + 1 > sizeof(type)) { + if (typeLen > sizeof(type) - 1) { goto exit; } - if (flacSize < 8 + typeLen) { + // we've already checked above that flacSize >= 8 + if (flacSize - 8 < typeLen) { goto exit; } @@ -993,13 +994,17 @@ static void extractAlbumArt( descLen = U32_AT(&flac[8 + typeLen]); - if (flacSize < 32 + typeLen + descLen) { + if (flacSize < 32 || + flacSize - 32 < typeLen || + flacSize - 32 - typeLen < descLen) { goto exit; } dataLen = U32_AT(&flac[8 + typeLen + 4 + descLen + 16]); - if (flacSize < 32 + typeLen + descLen + dataLen) { + + // we've already checked above that (flacSize - 32 - typeLen - descLen) >= 0 + if (flacSize - 32 - typeLen - descLen < dataLen) { goto exit; } |