Prevent integer underflows in ID3::Iterator
If mFrameSize is less than or equal to getHeaderLength(), an integer underflow
will occur. This typically leads to a crash reading out of bounds in the
following code. Prevent this from happening by validating mFrameSize.
Also add NULL checks after references to ID3::Iterator::getData.
Bug: 23285887
Change-Id: I35eeda3c5349ebbd9ffb3ea49b79af6a940d1395
diff --git a/media/libstagefright/httplive/PlaylistFetcher.cpp b/media/libstagefright/httplive/PlaylistFetcher.cpp
index 1227600..0407332 100644
--- a/media/libstagefright/httplive/PlaylistFetcher.cpp
+++ b/media/libstagefright/httplive/PlaylistFetcher.cpp
@@ -1499,6 +1499,9 @@
while (!it.done()) {
size_t length;
const uint8_t *data = it.getData(&length);
+ if (!data) {
+ return ERROR_MALFORMED;
+ }
static const char *kMatchName =
"com.apple.streaming.transportStreamTimestamp";
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index d9491d6..23d0491 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -506,6 +506,9 @@
return;
}
+ if (mFrameSize < getHeaderLength() + 1) {
+ return;
+ }
size_t n = mFrameSize - getHeaderLength() - 1;
if (otherdata) {
// skip past the encoding, language, and the 0 separator
@@ -595,6 +598,11 @@
return NULL;
}
+ // Prevent integer underflow
+ if (mFrameSize < getHeaderLength()) {
+ return NULL;
+ }
+
*length = mFrameSize - getHeaderLength();
return mFrameData;
@@ -794,6 +802,9 @@
while (!it.done()) {
size_t size;
const uint8_t *data = it.getData(&size);
+ if (!data) {
+ return NULL;
+ }
if (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) {
uint8_t encoding = data[0];