From 985e33c71917a8c7f3cc5bbb2bd0d1feb188c258 Mon Sep 17 00:00:00 2001
From: "Joshua J. Drake" <android-open-source@qoop.org>
Date: Sat, 15 Aug 2015 08:31:32 -0500
Subject: Prevent integer underflows in ID3::Iterator

If mFrameSize is less than or equal to getHeaderLength(), an integer underflow
will occur. This typically leads to a crash reading out of bounds in the
following code. Prevent this from happening by validating mFrameSize.

Also add NULL checks after references to ID3::Iterator::getData.

Bug: 23285887
Change-Id: I35eeda3c5349ebbd9ffb3ea49b79af6a940d1395
---
 media/libstagefright/id3/ID3.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'media/libstagefright/id3')

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 76d65f0..4f4248c 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -619,6 +619,11 @@ const uint8_t *ID3::Iterator::getData(size_t *length) const {
         return NULL;
     }
 
+    // Prevent integer underflow
+    if (mFrameSize < getHeaderLength()) {
+        return NULL;
+    }
+
     *length = mFrameSize - getHeaderLength();
 
     return mFrameData;
@@ -833,6 +838,9 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
     while (!it.done()) {
         size_t size;
         const uint8_t *data = it.getData(&size);
+        if (!data) {
+            return NULL;
+        }
 
         if (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) {
             uint8_t encoding = data[0];
-- 
cgit v1.1