Google Git
Sign in
android / platform / frameworks / av / 00887af170d5302d1030e107ed3db969b05edcb4^1..00887af170d5302d1030e107ed3db969b05edcb4 / .
commit00887af170d5302d1030e107ed3db969b05edcb4[log] [tgz]
authorNeel Mehta <nmehta@google.com>Tue Aug 18 16:40:47 2015 +0000
committerAndroid Git Automerger <android-git-automerger@android.com>Tue Aug 18 16:40:47 2015 +0000
tree2b70c9c85a465527e656f89fbb0723c6750487fd
parent3c803e7f777ad745b1b2cae0bdb2a31b11d47e80 [diff]
parente9a8362e1d379e90655e904ca49d6333e4218eda [diff]
am e9a8362e: am a2a68264: am c37f7f6f: Fix for memory corruption in ID3::removeUnsynchronizationV2_4(). Bug: 23227354

* commit 'e9a8362e1d379e90655e904ca49d6333e4218eda':
  Fix for memory corruption in ID3::removeUnsynchronizationV2_4(). Bug: 23227354

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index a39aecf..fb3ae49 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp

@@ -349,7 +349,7 @@
         if (flags & 1) {
             // Strip data length indicator
 
-            if (mSize < 14 || mSize - 14 < offset) {
+            if (mSize < 14 || mSize - 14 < offset || dataSize < 4) {
                 return false;
             }
             memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);