From 5cea0155cfc41f67e91343c342f44251c03fde3a Mon Sep 17 00:00:00 2001 From: "Joshua J. Drake" Date: Mon, 4 May 2015 17:33:49 -0500 Subject: Prevent reading past the end of the buffer in 3GPP Metadata processed within the parse3GPPMetaData function may not be NUL terminated and thus calling setCString may read out of bounds. Ensure proper NUL termination, but take care not to interfere with other special cases (ie, albm). Bug: 20923261 Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324 --- media/libstagefright/MPEG4Extractor.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'media') diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp index 6573afc..1f1d751 100644 --- a/media/libstagefright/MPEG4Extractor.cpp +++ b/media/libstagefright/MPEG4Extractor.cpp @@ -2605,11 +2605,11 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) { } status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) { - if (size < 4) { + if (size < 4 || size == SIZE_MAX) { return ERROR_MALFORMED; } - uint8_t *buffer = new (std::nothrow) uint8_t[size]; + uint8_t *buffer = new (std::nothrow) uint8_t[size + 1]; if (buffer == NULL) { return ERROR_MALFORMED; } @@ -2701,6 +2701,7 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept } if (isUTF8) { + buffer[size] = 0; mFileMetaData->setCString(metadataKey, (const char *)buffer + 6); } else { // Convert from UTF-16 string to UTF-8 string. -- cgit v1.1