libstagefright: check remaining data size before parsing it. Bug: 23248776 Change-Id: I45cf53e58e4375afcf260b122264c968ec0ff6c8 (cherry picked from commit 3bf1e0fdf27e1188b8d3574ed073595b8eacb114)

commit: d2ebc0b9e147f9406db20ec4df61da50e3614ee4 [log] [tgz]
author: Wei Jia <wjia@google.com> Sun Aug 16 17:41:50 2015 -0700
committer: Wei Jia <wjia@google.com> Mon Aug 17 13:51:26 2015 +0000
tree: ec78e3b3e29c9104836ac8fcd845d40b60aa1789
parent: 120f259d0de4dc048a2b9007c0f19b8808e59021 [diff]
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d34f1a7..c3fb9bd 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp

@@ -550,6 +550,9 @@
         return;
     }
 
+    if (mFrameSize < getHeaderLength() + 1) {
+        return;
+    }
     size_t n = mFrameSize - getHeaderLength() - 1;
     if (otherdata) {
         // skip past the encoding, language, and the 0 separator
commit	d2ebc0b9e147f9406db20ec4df61da50e3614ee4	[log] [tgz]
author	Wei Jia <wjia@google.com>	Sun Aug 16 17:41:50 2015 -0700
committer	Wei Jia <wjia@google.com>	Mon Aug 17 13:51:26 2015 +0000
tree	ec78e3b3e29c9104836ac8fcd845d40b60aa1789
parent	120f259d0de4dc048a2b9007c0f19b8808e59021 [diff]