Loading media/libstagefright/id3/ID3.cpp +16 −1 Original line number Original line Diff line number Diff line Loading @@ -641,6 +641,11 @@ void ID3::Iterator::findFrame() { } } mFrameSize += 6; // add tag id and size field mFrameSize += 6; // add tag id and size field // Prevent integer overflow in validation if (SIZE_MAX - mOffset <= mFrameSize) { return; } if (mOffset + mFrameSize > mParent.mSize) { if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6); mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6); Loading Loading @@ -670,7 +675,7 @@ void ID3::Iterator::findFrame() { return; return; } } size_t baseSize; size_t baseSize = 0; if (mParent.mVersion == ID3_V2_4) { if (mParent.mVersion == ID3_V2_4) { if (!ParseSyncsafeInteger( if (!ParseSyncsafeInteger( &mParent.mData[mOffset + 4], &baseSize)) { &mParent.mData[mOffset + 4], &baseSize)) { Loading @@ -684,8 +689,18 @@ void ID3::Iterator::findFrame() { return; return; } } // Prevent integer overflow when adding if (SIZE_MAX - 10 <= baseSize) { return; } mFrameSize = 10 + baseSize; // add tag id, size field and flags mFrameSize = 10 + baseSize; // add tag id, size field and flags // Prevent integer overflow in validation if (SIZE_MAX - mOffset <= mFrameSize) { return; } if (mOffset + mFrameSize > mParent.mSize) { if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10); mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10); Loading Loading
media/libstagefright/id3/ID3.cpp +16 −1 Original line number Original line Diff line number Diff line Loading @@ -641,6 +641,11 @@ void ID3::Iterator::findFrame() { } } mFrameSize += 6; // add tag id and size field mFrameSize += 6; // add tag id and size field // Prevent integer overflow in validation if (SIZE_MAX - mOffset <= mFrameSize) { return; } if (mOffset + mFrameSize > mParent.mSize) { if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6); mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6); Loading Loading @@ -670,7 +675,7 @@ void ID3::Iterator::findFrame() { return; return; } } size_t baseSize; size_t baseSize = 0; if (mParent.mVersion == ID3_V2_4) { if (mParent.mVersion == ID3_V2_4) { if (!ParseSyncsafeInteger( if (!ParseSyncsafeInteger( &mParent.mData[mOffset + 4], &baseSize)) { &mParent.mData[mOffset + 4], &baseSize)) { Loading @@ -684,8 +689,18 @@ void ID3::Iterator::findFrame() { return; return; } } // Prevent integer overflow when adding if (SIZE_MAX - 10 <= baseSize) { return; } mFrameSize = 10 + baseSize; // add tag id, size field and flags mFrameSize = 10 + baseSize; // add tag id, size field and flags // Prevent integer overflow in validation if (SIZE_MAX - mOffset <= mFrameSize) { return; } if (mOffset + mFrameSize > mParent.mSize) { if (mOffset + mFrameSize > mParent.mSize) { ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)", mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10); mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10); Loading
