Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc0e2a87 authored by Wei Jia's avatar Wei Jia Committed by Android Git Automerger
Browse files

am 7ed8d1ef: ID3: check possible integer overflow for extendedHeaderSize and paddingSize.

* commit '7ed8d1ef':
  ID3: check possible integer overflow for extendedHeaderSize and paddingSize.
parents 00f5fa82 7ed8d1ef
Loading
Loading
Loading
Loading
+19 −2
Original line number Diff line number Diff line
@@ -194,6 +194,13 @@ struct id3_header {

    if (header.version_major == 4) {
        void *copy = malloc(size);
        if (copy == NULL) {
            free(mData);
            mData = NULL;
            ALOGE("b/24623447, no more memory");
            return false;
        }

        memcpy(copy, mData, size);

        bool success = removeUnsynchronizationV2_4(false /* iTunesHack */);
@@ -234,7 +241,14 @@ struct id3_header {
            return false;
        }

        size_t extendedHeaderSize = U32_AT(&mData[0]) + 4;
        size_t extendedHeaderSize = U32_AT(&mData[0]);
        if (extendedHeaderSize > SIZE_MAX - 4) {
            free(mData);
            mData = NULL;
            ALOGE("b/24623447, extendedHeaderSize is too large");
            return false;
        }
        extendedHeaderSize += 4;

        if (extendedHeaderSize > mSize) {
            free(mData);
@@ -252,7 +266,10 @@ struct id3_header {
            if (extendedHeaderSize >= 10) {
                size_t paddingSize = U32_AT(&mData[6]);

                if (mFirstFrameOffset + paddingSize > mSize) {
                if (paddingSize > SIZE_MAX - mFirstFrameOffset) {
                    ALOGE("b/24623447, paddingSize is too large");
                }
                if (paddingSize > mSize - mFirstFrameOffset) {
                    free(mData);
                    mData = NULL;