am f26400c9: Fix crash on malformed id3 * commit 'f26400c9d01a0e2f71690d5ebc644270f098d590': Fix crash on malformed id3

commit: d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3 [log] [tgz]
author: Marco Nelissen <marcone@google.com> Fri Aug 07 14:25:10 2015 +0000
committer: Android Git Automerger <android-git-automerger@android.com> Fri Aug 07 14:25:10 2015 +0000
tree: b62ef0d8d86dd5a159fda3997b7b7369ced8a96c
parent: 42bd61d73e8b4d0b1101e73324a59fde51077112 [diff]
parent: f26400c9d01a0e2f71690d5ebc644270f098d590 [diff]
diff --git a/include/media/stagefright/MetaData.h b/include/media/stagefright/MetaData.h
index db8216b..f51c12d 100644
--- a/include/media/stagefright/MetaData.h
+++ b/include/media/stagefright/MetaData.h

@@ -248,7 +248,7 @@
             return mSize <= sizeof(u.reservoir);
         }
 
-        void allocateStorage(size_t size);
+        void *allocateStorage(size_t size);
         void freeStorage();
 
         void *storage() {

diff --git a/media/libstagefright/MetaData.cpp b/media/libstagefright/MetaData.cpp
index cfc5f19..725f97e 100644
--- a/media/libstagefright/MetaData.cpp
+++ b/media/libstagefright/MetaData.cpp

@@ -243,8 +243,11 @@
 MetaData::typed_data::typed_data(const typed_data &from)
     : mType(from.mType),
       mSize(0) {
-    allocateStorage(from.mSize);
-    memcpy(storage(), from.storage(), mSize);
+
+    void *dst = allocateStorage(from.mSize);
+    if (dst) {
+        memcpy(dst, from.storage(), mSize);
+    }
 }
 
 MetaData::typed_data &MetaData::typed_data::operator=(
@@ -252,8 +255,10 @@
     if (this != &from) {
         clear();
         mType = from.mType;
-        allocateStorage(from.mSize);
-        memcpy(storage(), from.storage(), mSize);
+        void *dst = allocateStorage(from.mSize);
+        if (dst) {
+            memcpy(dst, from.storage(), mSize);
+        }
     }
 
     return *this;
@@ -270,13 +275,11 @@
     clear();
 
     mType = type;
-    allocateStorage(size);
-    void *dst = storage();
-    if (!dst) {
-        ALOGE("Couldn't allocate %zu bytes for item", size);
-        return;
+
+    void *dst = allocateStorage(size);
+    if (dst) {
+        memcpy(dst, data, size);
     }
-    memcpy(dst, data, size);
 }
 
 void MetaData::typed_data::getData(
@@ -286,14 +289,19 @@
     *data = storage();
 }
 
-void MetaData::typed_data::allocateStorage(size_t size) {
+void *MetaData::typed_data::allocateStorage(size_t size) {
     mSize = size;
 
     if (usesReservoir()) {
-        return;
+        return &u.reservoir;
     }
 
     u.ext_data = malloc(mSize);
+    if (u.ext_data == NULL) {
+        ALOGE("Couldn't allocate %zu bytes for item", size);
+        mSize = 0;
+    }
+    return u.ext_data;
 }
 
 void MetaData::typed_data::freeStorage() {

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index 1ec4a40..461bf6e 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp

@@ -825,6 +825,12 @@
 
             size_t descLen = StringSize(&data[2 + mimeLen], encoding);
 
+            if (size < 2 ||
+                    size - 2 < mimeLen ||
+                    size - 2 - mimeLen < descLen) {
+                ALOGW("bogus album art sizes");
+                return NULL;
+            }
             *length = size - 2 - mimeLen - descLen;
 
             return &data[2 + mimeLen + descLen];
commit	d6ea7f65dd31d5dacf497cc3c494d4fa3910f7c3	[log] [tgz]
author	Marco Nelissen <marcone@google.com>	Fri Aug 07 14:25:10 2015 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	Fri Aug 07 14:25:10 2015 +0000
tree	b62ef0d8d86dd5a159fda3997b7b7369ced8a96c
parent	42bd61d73e8b4d0b1101e73324a59fde51077112 [diff]
parent	f26400c9d01a0e2f71690d5ebc644270f098d590 [diff]