commit 8f2b91f0a1fb0261ab6f4fd556e4498cc900bb7b
author Marco Nelissen <marcone@google.com> Mon Mar 13 22:56:58 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon Mar 13 22:56:58 2017 +0000
tree ce308efae9c56b79b9391fc4601bb7d52a4e24dc
parent b1c01ac1a06fe96f5b63030531bf8a289fc20d52
parent d270a899c26a4ebfb773981662f82314db95d199

Merge "Fix out of bounds access" into klp-dev am: 360cbbd72c am: f71b76cae8 am: 36c2e14da3 am: 8a3cc1963e am: 5b0ca6a92c
am: d270a899c2

Change-Id: I64b30e83c6825a83ff628477a58d607eded0ec7d

media/libstagefright/id3/ID3.cpp

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index c6e3c61..667b83e 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -379,7 +379,7 @@
             flags &= ~1;
         }
 
-        if (flags & 2) {
+        if ((flags & 2) && (dataSize >= 2)) {
             // This file has "unsynchronization", so we have to replace occurrences
             // of 0xff 0x00 with just 0xff in order to get the real data.
 
@@ -395,11 +395,15 @@
                 mData[writeOffset++] = mData[readOffset++];
             }
             // move the remaining data following this frame
-            memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
+            if (readOffset <= oldSize) {
+                memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
+            } else {
+                ALOGE("b/34618607 (%zu %zu %zu %zu)", readOffset, writeOffset, oldSize, mSize);
+                android_errorWriteLog(0x534e4554, "34618607");
+            }
 
-            flags &= ~2;
         }
-
+        flags &= ~2;
         if (flags != prevFlags || iTunesHack) {
             WriteSyncsafeInteger(&mData[offset + 4], dataSize);
             mData[offset + 8] = flags >> 8;