commit d8e41553b96432c4d4dae80fcc042b95fd9d27d9
author Marco Nelissen <marcone@google.com> Wed May 06 22:48:44 2015 +0000
committer Android Git Automerger <android-git-automerger@android.com> Wed May 06 22:48:44 2015 +0000
tree 8dbbd8d07f670ca1c56a6519d80b38fb5f61b5eb
parent a05bd3c1cdff400ad92532b06d40ddc5c638c284
parent bd28ac7471e2c7cab0ce9df4c2d5a295adc163a1

am bd28ac74: am 59cea261: Add some sanity checks

* commit 'bd28ac7471e2c7cab0ce9df4c2d5a295adc163a1':
  Add some sanity checks

media/libmedia/IMediaHTTPConnection.cpp

diff --git a/media/libmedia/IMediaHTTPConnection.cpp b/media/libmedia/IMediaHTTPConnection.cpp
index 7e26ee6..a5a3714 100644
--- a/media/libmedia/IMediaHTTPConnection.cpp
+++ b/media/libmedia/IMediaHTTPConnection.cpp
@@ -24,6 +24,7 @@
 #include <binder/Parcel.h>
 #include <utils/String8.h>
 #include <media/stagefright/foundation/ADebug.h>
+#include <media/stagefright/MediaErrors.h>
 
 namespace android {
 
@@ -106,11 +107,18 @@
             return UNKNOWN_ERROR;
         }
 
-        int32_t len = reply.readInt32();
+        size_t len = reply.readInt32();
 
-        if (len > 0) {
-            memcpy(buffer, mMemory->pointer(), len);
+        if (len > size) {
+            ALOGE("requested %zu, got %zu", size, len);
+            return ERROR_OUT_OF_RANGE;
         }
+        if (len > mMemory->size()) {
+            ALOGE("got %zu, but memory has %zu", len, mMemory->size());
+            return ERROR_OUT_OF_RANGE;
+        }
+
+        memcpy(buffer, mMemory->pointer(), len);
 
         return len;
     }