better validation lengths of strings in ID3 tags
Validate lengths on strings in ID3 tags, particularly around 0.
Also added code to handle cases when we can't get memory for
copies of strings we want to extract from these tags.
Affects L/M/N/master, same patch for all of them.
Bug: 30744884
Change-Id: I2675a817a39f0927ec1f7e9f9c09f2e61020311e
Test: play mp3 file which caused a <0 length.
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index ed2d941..b1b761f 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -77,7 +77,10 @@
mFirstFrameOffset(0),
mVersion(ID3_UNKNOWN),
mRawSize(0) {
- sp<MemorySource> source = new MemorySource(data, size);
+ sp<MemorySource> source = new (std::nothrow) MemorySource(data, size);
+
+ if (source == NULL)
+ return;
mIsValid = parseV2(source, 0);
@@ -542,6 +545,10 @@
n -= skipped;
}
+ if (n <= 0) {
+ return;
+ }
+
if (encoding == 0x00) {
// supposedly ISO 8859-1
id->setTo((const char*)frameData + 1, n);
@@ -555,11 +562,16 @@
const char16_t *framedata = (const char16_t *) (frameData + 1);
char16_t *framedatacopy = NULL;
#if BYTE_ORDER == LITTLE_ENDIAN
- framedatacopy = new char16_t[len];
- for (int i = 0; i < len; i++) {
- framedatacopy[i] = bswap_16(framedata[i]);
+ if (len > 0) {
+ framedatacopy = new (std::nothrow) char16_t[len];
+ if (framedatacopy == NULL) {
+ return;
+ }
+ for (int i = 0; i < len; i++) {
+ framedatacopy[i] = bswap_16(framedata[i]);
+ }
+ framedata = framedatacopy;
}
- framedata = framedatacopy;
#endif
id->setTo(framedata, len);
if (framedatacopy != NULL) {
@@ -572,15 +584,26 @@
const char16_t *framedata = (const char16_t *) (frameData + 1);
char16_t *framedatacopy = NULL;
if (*framedata == 0xfffe) {
- // endianness marker doesn't match host endianness, convert
- framedatacopy = new char16_t[len];
+ // endianness marker != host endianness, convert & skip
+ if (len <= 1) {
+ return; // nothing after the marker
+ }
+ framedatacopy = new (std::nothrow) char16_t[len];
+ if (framedatacopy == NULL) {
+ return;
+ }
for (int i = 0; i < len; i++) {
framedatacopy[i] = bswap_16(framedata[i]);
}
framedata = framedatacopy;
- }
- // If the string starts with an endianness marker, skip it
- if (*framedata == 0xfeff) {
+ // and skip over the marker
+ framedata++;
+ len--;
+ } else if (*framedata == 0xfeff) {
+ // endianness marker == host endianness, skip it
+ if (len <= 1) {
+ return; // nothing after the marker
+ }
framedata++;
len--;
}
@@ -595,12 +618,16 @@
}
if (eightBit) {
// collapse to 8 bit, then let the media scanner client figure out the real encoding
- char *frame8 = new char[len];
- for (int i = 0; i < len; i++) {
- frame8[i] = framedata[i];
+ char *frame8 = new (std::nothrow) char[len];
+ if (frame8 != NULL) {
+ for (int i = 0; i < len; i++) {
+ frame8[i] = framedata[i];
+ }
+ id->setTo(frame8, len);
+ delete [] frame8;
+ } else {
+ id->setTo(framedata, len);
}
- id->setTo(frame8, len);
- delete [] frame8;
} else {
id->setTo(framedata, len);
}
