am 648ec9da: am 92b5c47a: am 32739430: am fbf55d85: am 80c17e0d: am 450e1015: Fix Ogg album art * commit '648ec9da3bcf1b9b47f2abf6bfcb2fdf54db7b09': Fix Ogg album art

commit: f647c38a3e4b065fc26d0a8bb55071dae1028ac2 [log] [tgz]
author: Marco Nelissen <marcone@google.com> Sat Aug 08 03:19:34 2015 +0000
committer: Android Git Automerger <android-git-automerger@android.com> Sat Aug 08 03:19:34 2015 +0000
tree: 73ae2b98853f00749c5a1a3471a292a560f05823
parent: b3adb709bd278004de5764ce45b51140aefcc4c8 [diff]
parent: 648ec9da3bcf1b9b47f2abf6bfcb2fdf54db7b09 [diff]
diff --git a/media/libstagefright/OggExtractor.cpp b/media/libstagefright/OggExtractor.cpp
index 6e32494..976763c 100644
--- a/media/libstagefright/OggExtractor.cpp
+++ b/media/libstagefright/OggExtractor.cpp

@@ -973,11 +973,12 @@
     }
 
     typeLen = U32_AT(&flac[4]);
-    if (typeLen + 1 > sizeof(type)) {
+    if (typeLen > sizeof(type) - 1) {
         goto exit;
     }
 
-    if (flacSize < 8 + typeLen) {
+    // we've already checked above that flacSize >= 8
+    if (flacSize - 8 < typeLen) {
         goto exit;
     }
 
@@ -993,13 +994,17 @@
 
     descLen = U32_AT(&flac[8 + typeLen]);
 
-    if (flacSize < 32 + typeLen + descLen) {
+    if (flacSize < 32 ||
+        flacSize - 32 < typeLen ||
+        flacSize - 32 - typeLen < descLen) {
         goto exit;
     }
 
     dataLen = U32_AT(&flac[8 + typeLen + 4 + descLen + 16]);
 
-    if (flacSize < 32 + typeLen + descLen + dataLen) {
+
+    // we've already checked above that (flacSize - 32 - typeLen - descLen) >= 0
+    if (flacSize - 32 - typeLen - descLen < dataLen) {
         goto exit;
     }
commit	f647c38a3e4b065fc26d0a8bb55071dae1028ac2	[log] [tgz]
author	Marco Nelissen <marcone@google.com>	Sat Aug 08 03:19:34 2015 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	Sat Aug 08 03:19:34 2015 +0000
tree	73ae2b98853f00749c5a1a3471a292a560f05823
parent	b3adb709bd278004de5764ce45b51140aefcc4c8 [diff]
parent	648ec9da3bcf1b9b47f2abf6bfcb2fdf54db7b09 [diff]