Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc0e2a87 authored by Wei Jia's avatar Wei Jia Committed by Android Git Automerger
Browse files

am 7ed8d1ef: ID3: check possible integer overflow for extendedHeaderSize and paddingSize. 

* commit '7ed8d1ef':
  ID3: check possible integer overflow for extendedHeaderSize and paddingSize.
parents 00f5fa82 7ed8d1ef

media/libstagefright/id3/ID3.cpp

+19 −2
Original line number Diff line number Diff line
@@ -194,6 +194,13 @@ struct id3_header { 


    if (header.version_major == 4) {

        void *copy = malloc(size);

        if (copy == NULL) {

            free(mData);

            mData = NULL;

            ALOGE("b/24623447, no more memory");

            return false;

        }



        memcpy(copy, mData, size);



        bool success = removeUnsynchronizationV2_4(false /* iTunesHack */);
@@ -234,7 +241,14 @@ struct id3_header { 
            return false;

        }



        size_t extendedHeaderSize = U32_AT(&mData[0]) + 4;

        size_t extendedHeaderSize = U32_AT(&mData[0]);

        if (extendedHeaderSize > SIZE_MAX - 4) {

            free(mData);

            mData = NULL;

            ALOGE("b/24623447, extendedHeaderSize is too large");

            return false;

        }

        extendedHeaderSize += 4;



        if (extendedHeaderSize > mSize) {

            free(mData);
@@ -252,7 +266,10 @@ struct id3_header { 
            if (extendedHeaderSize >= 10) {

                size_t paddingSize = U32_AT(&mData[6]);



                if (mFirstFrameOffset + paddingSize > mSize) {

                if (paddingSize > SIZE_MAX - mFirstFrameOffset) {

                    ALOGE("b/24623447, paddingSize is too large");

                }

                if (paddingSize > mSize - mFirstFrameOffset) {

                    free(mData);

                    mData = NULL;