Make sure the .wav extractor does not read data outside the bounds of the 'data' box.
Change-Id: Icf18f9224d97e6a78328dd429ebc3a3433e5cecd
related-to-bug: 3007790
diff --git a/media/libstagefright/WAVExtractor.cpp b/media/libstagefright/WAVExtractor.cpp
index 57c1075..aff06bc 100644
--- a/media/libstagefright/WAVExtractor.cpp
+++ b/media/libstagefright/WAVExtractor.cpp
@@ -331,9 +331,20 @@
return err;
}
+ size_t maxBytesToRead =
+ mBitsPerSample == 8 ? kMaxFrameSize / 2 : kMaxFrameSize;
+
+ size_t maxBytesAvailable =
+ (mCurrentPos - mOffset >= (off_t)mSize)
+ ? 0 : mSize - (mCurrentPos - mOffset);
+
+ if (maxBytesToRead > maxBytesAvailable) {
+ maxBytesToRead = maxBytesAvailable;
+ }
+
ssize_t n = mDataSource->readAt(
mCurrentPos, buffer->data(),
- mBitsPerSample == 8 ? kMaxFrameSize / 2 : kMaxFrameSize);
+ maxBytesToRead);
if (n <= 0) {
buffer->release();
