Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eecc406f authored by Robert Shih's avatar Robert Shih Committed by Android Git Automerger
Browse files

am 3b42241a: Merge "Prevent integer issues in ID3::Iterator::findFrame" into klp-dev 

* commit '3b42241a':
  Prevent integer issues in ID3::Iterator::findFrame
parents f814f84e 3b42241a

media/libstagefright/id3/ID3.cpp

+21 −2
Original line number Diff line number Diff line
@@ -659,6 +659,11 @@ void ID3::Iterator::findFrame() { 


            mFrameSize += 6;



            // Prevent integer overflow in validation

            if (SIZE_MAX - mOffset <= mFrameSize) {

                return;

            }



            if (mOffset + mFrameSize > mParent.mSize) {

                ALOGV("partial frame at offset %d (size = %d, bytes-remaining = %d)",

                     mOffset, mFrameSize, mParent.mSize - mOffset - 6);
@@ -688,7 +693,7 @@ void ID3::Iterator::findFrame() { 
                return;

            }



            size_t baseSize;

            size_t baseSize = 0;

            if (mParent.mVersion == ID3_V2_4) {

                if (!ParseSyncsafeInteger(

                            &mParent.mData[mOffset + 4], &baseSize)) {
@@ -698,7 +703,21 @@ void ID3::Iterator::findFrame() { 
                baseSize = U32_AT(&mParent.mData[mOffset + 4]);

            }



            mFrameSize = 10 + baseSize;

            if (baseSize == 0) {

                return;

            }



            // Prevent integer overflow when adding

            if (SIZE_MAX - 10 <= baseSize) {

                return;

            }



            mFrameSize = 10 + baseSize; // add tag id, size field and flags



            // Prevent integer overflow in validation

            if (SIZE_MAX - mOffset <= mFrameSize) {

                return;

            }



            if (mOffset + mFrameSize > mParent.mSize) {

                ALOGV("partial frame at offset %d (size = %d, bytes-remaining = %d)",