am eecc406f: am 3b42241a: Merge "Prevent integer issues in ID3::Iterator::findFrame" into klp-dev (8cf3564d) · Commits · e / devices / smdk4412 / android_frameworks_av

media/libstagefright/id3/ID3.cpp

+21 −2

Original line number	Diff line number	Diff line
		@@ -638,6 +638,11 @@ void ID3::Iterator::findFrame() {

		mFrameSize += 6;

		// Prevent integer overflow in validation
		if (SIZE_MAX - mOffset <= mFrameSize) {
		return;
		}

		if (mOffset + mFrameSize > mParent.mSize) {
		ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
		mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6);
		@@ -667,7 +672,7 @@ void ID3::Iterator::findFrame() {
		return;
		}

		size_t baseSize;
		size_t baseSize = 0;
		if (mParent.mVersion == ID3_V2_4) {
		if (!ParseSyncsafeInteger(
		&mParent.mData[mOffset + 4], &baseSize)) {
		@@ -677,7 +682,21 @@ void ID3::Iterator::findFrame() {
		baseSize = U32_AT(&mParent.mData[mOffset + 4]);
		}

		mFrameSize = 10 + baseSize;
		if (baseSize == 0) {
		return;
		}

		// Prevent integer overflow when adding
		if (SIZE_MAX - 10 <= baseSize) {
		return;
		}

		mFrameSize = 10 + baseSize; // add tag id, size field and flags

		// Prevent integer overflow in validation
		if (SIZE_MAX - mOffset <= mFrameSize) {
		return;
		}

		if (mOffset + mFrameSize > mParent.mSize) {
		ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",