am 268b9692: am 9a4da6b1: am c98f2a0a: am e0095a19: am 86174e2c: Merge "Prevent reading past the end of the buffer in 3GPP" into lmp-dev * commit '268b96927b2d0dcc63a0c8c9f546776e4ce67b7f': Prevent reading past the end of the buffer in 3GPP

commit: c1768c9dae4e4ad1f92759c9c981d2d6e5bd29d6 [log] [tgz]
author: Wei Jia <wjia@google.com> Thu Jun 11 13:33:35 2015 +0000
committer: Android Git Automerger <android-git-automerger@android.com> Thu Jun 11 13:33:35 2015 +0000
tree: bc27d9ab6ceffab71c294b02a35c4ab2c48f49a4
parent: a2a912a71e97b92edd7a73452587e0897026ec1e [diff]
parent: 268b96927b2d0dcc63a0c8c9f546776e4ce67b7f [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 58012b2..a1521de 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -2398,11 +2398,11 @@
 }
 
 status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) {
-    if (size < 4) {
+    if (size < 4 || size == SIZE_MAX) {
         return ERROR_MALFORMED;
     }
 
-    uint8_t *buffer = new (std::nothrow) uint8_t[size];
+    uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
     if (buffer == NULL) {
         return ERROR_MALFORMED;
     }
@@ -2498,6 +2498,7 @@
         }
 
         if (isUTF8) {
+            buffer[size] = 0;
             mFileMetaData->setCString(metadataKey, (const char *)buffer + 6);
         } else {
             // Convert from UTF-16 string to UTF-8 string.
commit	c1768c9dae4e4ad1f92759c9c981d2d6e5bd29d6	[log] [tgz]
author	Wei Jia <wjia@google.com>	Thu Jun 11 13:33:35 2015 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	Thu Jun 11 13:33:35 2015 +0000
tree	bc27d9ab6ceffab71c294b02a35c4ab2c48f49a4
parent	a2a912a71e97b92edd7a73452587e0897026ec1e [diff]
parent	268b96927b2d0dcc63a0c8c9f546776e4ce67b7f [diff]