From 985e33c71917a8c7f3cc5bbb2bd0d1feb188c258 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Sat, 15 Aug 2015 08:31:32 -0500
Subject: Prevent integer underflows in ID3::Iterator

If mFrameSize is less than or equal to getHeaderLength(), an integer underflow
will occur. This typically leads to a crash reading out of bounds in the
following code. Prevent this from happening by validating mFrameSize.

Also add NULL checks after references to ID3::Iterator::getData.

Bug: 23285887
Change-Id: I35eeda3c5349ebbd9ffb3ea49b79af6a940d1395
---
 media/libstagefright/httplive/PlaylistFetcher.cpp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'media/libstagefright/httplive/PlaylistFetcher.cpp')

diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp
index 52be368..b030e90 100644
--- a/media/libstagefright/httplive/PlaylistFetcher.cpp
+++ b/media/libstagefright/httplive/PlaylistFetcher.cpp
@@ -1911,6 +1911,9 @@ status_t PlaylistFetcher::extractAndQueueAccessUnits(
             while (!it.done()) {
                 size_t length;
                 const uint8_t *data = it.getData(&length);
+                if (!data) {
+                    return ERROR_MALFORMED;
+                }
 
                 static const char *kMatchName =
                     "com.apple.streaming.transportStreamTimestamp";
-- 
cgit v1.1