From a2d1d85726aa2a3126e9c331a8e00a8c319c9e2b Mon Sep 17 00:00:00 2001
From: Robert Shih <robertshih@google.com>
Date: Fri, 18 Mar 2016 14:34:57 -0700
Subject: NuPlayerStreamListener: NULL and bounds check before memcpy

Bug: 27533704
Change-Id: I992a7709b92b1cbc3114c97bec48a3fc5b22ba6e
---
 .../libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'media/libmediaplayerservice')

diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
index f53afbd..ee70306 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
@@ -144,8 +144,17 @@ ssize_t NuPlayer::NuPlayerStreamListener::read(
         copy = size;
     }
 
+    if (entry->mIndex >= mBuffers.size()) {
+        return ERROR_MALFORMED;
+    }
+
+    sp<IMemory> mem = mBuffers.editItemAt(entry->mIndex);
+    if (mem == NULL || mem->size() < copy || mem->size() - copy < entry->mOffset) {
+        return ERROR_MALFORMED;
+    }
+
     memcpy(data,
-           (const uint8_t *)mBuffers.editItemAt(entry->mIndex)->pointer()
+           (const uint8_t *)mem->pointer()
             + entry->mOffset,
            copy);
 
-- 
cgit v1.1