Merge "NuPlayerStreamListener: NULL and bounds check before memcpy" into klp-dev am: 4fa31b5 am: 6ee73da am: 9ef3f17 am: 8278e43 am: 093cd05 am: 05cb2d8 am: 5042d77 am: 6d1599d am: 297a8d2 am: 539826f * commit '539826f278dadc8041467713790ffe5b54572d6e': NuPlayerStreamListener: NULL and bounds check before memcpy

commit: f4044e892d3939fb99ee545a5e8e8e2999f476b2 [log] [tgz]
author: Robert Shih <robertshih@google.com> Tue Mar 22 21:24:09 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Tue Mar 22 21:24:09 2016 +0000
tree: 617bd547225bd6d87363bd35db1f8bf245161f06
parent: 5e5cdcac7f4a11400976ab44382429a640a4a9b5 [diff]
parent: 539826f278dadc8041467713790ffe5b54572d6e [diff]
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
index f53afbd..ee70306 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp

@@ -144,8 +144,17 @@
         copy = size;
     }
 
+    if (entry->mIndex >= mBuffers.size()) {
+        return ERROR_MALFORMED;
+    }
+
+    sp<IMemory> mem = mBuffers.editItemAt(entry->mIndex);
+    if (mem == NULL || mem->size() < copy || mem->size() - copy < entry->mOffset) {
+        return ERROR_MALFORMED;
+    }
+
     memcpy(data,
-           (const uint8_t *)mBuffers.editItemAt(entry->mIndex)->pointer()
+           (const uint8_t *)mem->pointer()
             + entry->mOffset,
            copy);
commit	f4044e892d3939fb99ee545a5e8e8e2999f476b2	[log] [tgz]
author	Robert Shih <robertshih@google.com>	Tue Mar 22 21:24:09 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Tue Mar 22 21:24:09 2016 +0000
tree	617bd547225bd6d87363bd35db1f8bf245161f06
parent	5e5cdcac7f4a11400976ab44382429a640a4a9b5 [diff]
parent	539826f278dadc8041467713790ffe5b54572d6e [diff]