diff options
-rw-r--r-- | media/libmedia/IMediaHTTPConnection.cpp | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/media/libmedia/IMediaHTTPConnection.cpp b/media/libmedia/IMediaHTTPConnection.cpp index 7e26ee6..a5a3714 100644 --- a/media/libmedia/IMediaHTTPConnection.cpp +++ b/media/libmedia/IMediaHTTPConnection.cpp @@ -24,6 +24,7 @@ #include <binder/Parcel.h> #include <utils/String8.h> #include <media/stagefright/foundation/ADebug.h> +#include <media/stagefright/MediaErrors.h> namespace android { @@ -106,11 +107,18 @@ struct BpMediaHTTPConnection : public BpInterface<IMediaHTTPConnection> { return UNKNOWN_ERROR; } - int32_t len = reply.readInt32(); + size_t len = reply.readInt32(); - if (len > 0) { - memcpy(buffer, mMemory->pointer(), len); + if (len > size) { + ALOGE("requested %zu, got %zu", size, len); + return ERROR_OUT_OF_RANGE; } + if (len > mMemory->size()) { + ALOGE("got %zu, but memory has %zu", len, mMemory->size()); + return ERROR_OUT_OF_RANGE; + } + + memcpy(buffer, mMemory->pointer(), len); return len; } |