diff options
author | Ray Essick <essick@google.com> | 2016-11-02 14:17:57 -0700 |
---|---|---|
committer | mh0rst <mhorst@tzi.de> | 2017-01-13 11:50:13 +0100 |
commit | 8dea6a22058328109dc1fcb7450ca5553f35b4df (patch) | |
tree | 0b2fe97c99c02823400ed55207cf739fd10c5aa8 /radio | |
parent | 621ca73010f3954566b27c6554ce992cc6069670 (diff) | |
download | frameworks_av-8dea6a22058328109dc1fcb7450ca5553f35b4df.zip frameworks_av-8dea6a22058328109dc1fcb7450ca5553f35b4df.tar.gz frameworks_av-8dea6a22058328109dc1fcb7450ca5553f35b4df.tar.bz2 |
DO NOT MERGE: defensive parsing of mp3 album art information
several points in stagefrights mp3 album art code
used strlen() to parse user-supplied strings that may be
unterminated, resulting in reading beyond the end of a buffer.
This changes the code to use strnlen() for 8-bit encodings and
strengthens the parsing of 16-bit encodings similarly. It also
reworks how we watch for the end-of-buffer to avoid all over-reads.
Bug: 32377688
Test: crafted mp3's w/ good/bad cover art. See what showed in play music
Change-Id: Ia9f526d71b21ef6a61acacf616b573753cd21df6
(cherry picked from commit fa0806b594e98f1aed3ebcfc6a801b4c0056f9eb)
(cherry picked from commit 7a3246b870ddd11861eda2ab458b11d723c7f62c)
Diffstat (limited to 'radio')
0 files changed, 0 insertions, 0 deletions