MPEG4Extractor: ensure buffer size is not less than 8 for LastCommentData. Bug: 24346430 Change-Id: I897a724e968841d9160f819d06c0ce22f6d743c4 (cherry picked from commit 5cae16bdce77b0a3ba590b55637f7d55a2f35402)

commit: e6d904fe5f6e7c7fc1d5fca2798dd3512468b118 [log] [tgz]
author: Wei Jia <wjia@google.com> Mon Sep 28 14:50:47 2015 -0700
committer: Wei Jia <wjia@google.com> Tue Oct 06 02:54:39 2015 +0000
tree: 0d14091afd78b81eafdcb7a2a6c82fb5b5952525
parent: 3737a3fa121796131ea5b782230e65dad9ccf90f [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 92065d1..990aa54 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -2153,6 +2153,12 @@
                     mLastCommentName.setTo((const char *)buffer + 4);
                     break;
                 case FOURCC('d', 'a', 't', 'a'):
+                    if (size < 8) {
+                        delete[] buffer;
+                        buffer = NULL;
+                        ALOGE("b/24346430");
+                        return ERROR_MALFORMED;
+                    }
                     mLastCommentData.setTo((const char *)buffer + 8);
                     break;
             }
commit	e6d904fe5f6e7c7fc1d5fca2798dd3512468b118	[log] [tgz]
author	Wei Jia <wjia@google.com>	Mon Sep 28 14:50:47 2015 -0700
committer	Wei Jia <wjia@google.com>	Tue Oct 06 02:54:39 2015 +0000
tree	0d14091afd78b81eafdcb7a2a6c82fb5b5952525
parent	3737a3fa121796131ea5b782230e65dad9ccf90f [diff]