libstagefright: check remaining data size before parsing it.
Bug: 23248776
Change-Id: I45cf53e58e4375afcf260b122264c968ec0ff6c8
(cherry picked from commit 3bf1e0fdf27e1188b8d3574ed073595b8eacb114)
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d34f1a7..c3fb9bd 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -550,6 +550,9 @@
return;
}
+ if (mFrameSize < getHeaderLength() + 1) {
+ return;
+ }
size_t n = mFrameSize - getHeaderLength() - 1;
if (otherdata) {
// skip past the encoding, language, and the 0 separator