Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eecc406f authored by Robert Shih's avatar Robert Shih Committed by Android Git Automerger
Browse files

am 3b42241a: Merge "Prevent integer issues in ID3::Iterator::findFrame" into klp-dev

* commit '3b42241a':
  Prevent integer issues in ID3::Iterator::findFrame
parents f814f84e 3b42241a
Loading
Loading
Loading
Loading
+21 −2
Original line number Diff line number Diff line
@@ -659,6 +659,11 @@ void ID3::Iterator::findFrame() {

            mFrameSize += 6;

            // Prevent integer overflow in validation
            if (SIZE_MAX - mOffset <= mFrameSize) {
                return;
            }

            if (mOffset + mFrameSize > mParent.mSize) {
                ALOGV("partial frame at offset %d (size = %d, bytes-remaining = %d)",
                     mOffset, mFrameSize, mParent.mSize - mOffset - 6);
@@ -688,7 +693,7 @@ void ID3::Iterator::findFrame() {
                return;
            }

            size_t baseSize;
            size_t baseSize = 0;
            if (mParent.mVersion == ID3_V2_4) {
                if (!ParseSyncsafeInteger(
                            &mParent.mData[mOffset + 4], &baseSize)) {
@@ -698,7 +703,21 @@ void ID3::Iterator::findFrame() {
                baseSize = U32_AT(&mParent.mData[mOffset + 4]);
            }

            mFrameSize = 10 + baseSize;
            if (baseSize == 0) {
                return;
            }

            // Prevent integer overflow when adding
            if (SIZE_MAX - 10 <= baseSize) {
                return;
            }

            mFrameSize = 10 + baseSize; // add tag id, size field and flags

            // Prevent integer overflow in validation
            if (SIZE_MAX - mOffset <= mFrameSize) {
                return;
            }

            if (mOffset + mFrameSize > mParent.mSize) {
                ALOGV("partial frame at offset %d (size = %d, bytes-remaining = %d)",