diff options
author | Nick Kralevich <nnk@google.com> | 2015-05-08 03:28:24 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-05-08 03:28:25 +0000 |
commit | f7cd8bfdb48c4237969bc16d25b6bec204073340 (patch) | |
tree | 00e74c0b9fcdec723b7f004bd7cfe7ab75d77973 /media | |
parent | 0d342b9a11557e228d6c94be92579d891ba830d8 (diff) | |
parent | 9458e715d391ee8fe455fc31f07ff35ce12e0531 (diff) | |
download | frameworks_av-f7cd8bfdb48c4237969bc16d25b6bec204073340.zip frameworks_av-f7cd8bfdb48c4237969bc16d25b6bec204073340.tar.gz frameworks_av-f7cd8bfdb48c4237969bc16d25b6bec204073340.tar.bz2 |
Merge "Prevent integer underflow if size is below 6" into mnc-dev
Diffstat (limited to 'media')
-rw-r--r-- | media/libstagefright/MPEG4Extractor.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 7bcf181..b5eb2a4 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2682,6 +2682,10 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept int len16 = 0; // Number of UTF-16 characters // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00 + if (size < 6) { + return ERROR_MALFORMED; + } + if (size - 6 >= 4) { len16 = ((size - 6) / 2) - 1; // don't include 0x0000 terminator framedata = (char16_t *)(buffer + 6); |