From d2ebc0b9e147f9406db20ec4df61da50e3614ee4 Mon Sep 17 00:00:00 2001
From: Wei Jia <wjia@google.com>
Date: Sun, 16 Aug 2015 17:41:50 -0700
Subject: libstagefright: check remaining data size before parsing it.

Bug: 23248776
Change-Id: I45cf53e58e4375afcf260b122264c968ec0ff6c8
(cherry picked from commit 3bf1e0fdf27e1188b8d3574ed073595b8eacb114)
---
 media/libstagefright/id3/ID3.cpp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'media/libstagefright/id3/ID3.cpp')

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d34f1a7..c3fb9bd 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -550,6 +550,9 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
         return;
     }
 
+    if (mFrameSize < getHeaderLength() + 1) {
+        return;
+    }
     size_t n = mFrameSize - getHeaderLength() - 1;
     if (otherdata) {
         // skip past the encoding, language, and the 0 separator
-- 
cgit v1.1