better validation lengths of strings in ID3 tags am: d23c01546c am: e3fad118bb... (75b2dc0d) · Commits · e / os / android_frameworks_av

media/libstagefright/id3/ID3.cpp

+42 −15

Original line number	Original line	Diff line number	Diff line
	@@ -77,7 +77,10 @@ ID3::ID3(const uint8_t *data, size_t size, bool ignoreV1)
	mFirstFrameOffset(0),		mFirstFrameOffset(0),
	mVersion(ID3_UNKNOWN),		mVersion(ID3_UNKNOWN),
	mRawSize(0) {		mRawSize(0) {
	sp<MemorySource> source = new MemorySource(data, size);		sp<MemorySource> source = new (std::nothrow) MemorySource(data, size);

			if (source == NULL)
			return;

	mIsValid = parseV2(source, 0);		mIsValid = parseV2(source, 0);

	@@ -542,6 +545,10 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
	n -= skipped;		n -= skipped;
	}		}

			if (n <= 0) {
			return;
			}

	if (encoding == 0x00) {		if (encoding == 0x00) {
	// supposedly ISO 8859-1		// supposedly ISO 8859-1
	id->setTo((const char*)frameData + 1, n);		id->setTo((const char*)frameData + 1, n);
	@@ -555,11 +562,16 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
	const char16_t framedata = (const char16_t ) (frameData + 1);		const char16_t framedata = (const char16_t ) (frameData + 1);
	char16_t *framedatacopy = NULL;		char16_t *framedatacopy = NULL;
	#if BYTE_ORDER == LITTLE_ENDIAN		#if BYTE_ORDER == LITTLE_ENDIAN
	framedatacopy = new char16_t[len];		if (len > 0) {
			framedatacopy = new (std::nothrow) char16_t[len];
			if (framedatacopy == NULL) {
			return;
			}
	for (int i = 0; i < len; i++) {		for (int i = 0; i < len; i++) {
	framedatacopy[i] = bswap_16(framedata[i]);		framedatacopy[i] = bswap_16(framedata[i]);
	}		}
	framedata = framedatacopy;		framedata = framedatacopy;
			}
	#endif		#endif
	id->setTo(framedata, len);		id->setTo(framedata, len);
	if (framedatacopy != NULL) {		if (framedatacopy != NULL) {
	@@ -572,15 +584,26 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
	const char16_t framedata = (const char16_t ) (frameData + 1);		const char16_t framedata = (const char16_t ) (frameData + 1);
	char16_t *framedatacopy = NULL;		char16_t *framedatacopy = NULL;
	if (*framedata == 0xfffe) {		if (*framedata == 0xfffe) {
	// endianness marker doesn't match host endianness, convert		// endianness marker != host endianness, convert & skip
	framedatacopy = new char16_t[len];		if (len <= 1) {
			return; // nothing after the marker
			}
			framedatacopy = new (std::nothrow) char16_t[len];
			if (framedatacopy == NULL) {
			return;
			}
	for (int i = 0; i < len; i++) {		for (int i = 0; i < len; i++) {
	framedatacopy[i] = bswap_16(framedata[i]);		framedatacopy[i] = bswap_16(framedata[i]);
	}		}
	framedata = framedatacopy;		framedata = framedatacopy;
			// and skip over the marker
			framedata++;
			len--;
			} else if (*framedata == 0xfeff) {
			// endianness marker == host endianness, skip it
			if (len <= 1) {
			return; // nothing after the marker
	}		}
	// If the string starts with an endianness marker, skip it
	if (*framedata == 0xfeff) {
	framedata++;		framedata++;
	len--;		len--;
	}		}
	@@ -595,7 +618,8 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
	}		}
	if (eightBit) {		if (eightBit) {
	// collapse to 8 bit, then let the media scanner client figure out the real encoding		// collapse to 8 bit, then let the media scanner client figure out the real encoding
	char *frame8 = new char[len];		char *frame8 = new (std::nothrow) char[len];
			if (frame8 != NULL) {
	for (int i = 0; i < len; i++) {		for (int i = 0; i < len; i++) {
	frame8[i] = framedata[i];		frame8[i] = framedata[i];
	}		}
	@@ -604,6 +628,9 @@ void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
	} else {		} else {
	id->setTo(framedata, len);		id->setTo(framedata, len);
	}		}
			} else {
			id->setTo(framedata, len);
			}

	if (framedatacopy != NULL) {		if (framedatacopy != NULL) {
	delete[] framedatacopy;		delete[] framedatacopy;