From e6d904fe5f6e7c7fc1d5fca2798dd3512468b118 Mon Sep 17 00:00:00 2001
From: Wei Jia <wjia@google.com>
Date: Mon, 28 Sep 2015 14:50:47 -0700
Subject: MPEG4Extractor: ensure buffer size is not less than 8 for
 LastCommentData.

Bug: 24346430
Change-Id: I897a724e968841d9160f819d06c0ce22f6d743c4
(cherry picked from commit 5cae16bdce77b0a3ba590b55637f7d55a2f35402)
---
 media/libstagefright/MPEG4Extractor.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'media/libstagefright/MPEG4Extractor.cpp')

diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 92065d1..990aa54 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -2153,6 +2153,12 @@ status_t MPEG4Extractor::parseMetaData(off64_t offset, size_t size) {
                     mLastCommentName.setTo((const char *)buffer + 4);
                     break;
                 case FOURCC('d', 'a', 't', 'a'):
+                    if (size < 8) {
+                        delete[] buffer;
+                        buffer = NULL;
+                        ALOGE("b/24346430");
+                        return ERROR_MALFORMED;
+                    }
                     mLastCommentData.setTo((const char *)buffer + 8);
                     break;
             }
-- 
cgit v1.1