From f26400c9d01a0e2f71690d5ebc644270f098d590 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Tue, 4 Aug 2015 16:49:28 -0700
Subject: Fix crash on malformed id3

Bug: 22954006
Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d
---
 media/libstagefright/id3/ID3.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'media/libstagefright/id3')

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 34d671a..7f478f7 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -825,6 +825,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
 
             size_t descLen = StringSize(&data[2 + mimeLen], encoding);
 
+            if (size < 2 ||
+                    size - 2 < mimeLen ||
+                    size - 2 - mimeLen < descLen) {
+                ALOGW("bogus album art sizes");
+                return NULL;
+            }
             *length = size - 2 - mimeLen - descLen;
 
             return &data[2 + mimeLen + descLen];
-- 
cgit v1.1