Commit 0dc89f5c authored by Marco Nelissen's avatar Marco Nelissen Committed by The Android Automerger
Browse files

Fix crash on malformed id3

Bug: 22954006
Change-Id: I488cb1e2c69fc7043b6040481b30fa866000515d
parent 07f19bad
......@@ -260,7 +260,7 @@ private:
return mSize <= sizeof(u.reservoir);
}
void allocateStorage(size_t size);
void *allocateStorage(size_t size);
void freeStorage();
void *storage() {
......
......@@ -244,8 +244,11 @@ MetaData::typed_data::~typed_data() {
MetaData::typed_data::typed_data(const typed_data &from)
: mType(from.mType),
mSize(0) {
allocateStorage(from.mSize);
memcpy(storage(), from.storage(), mSize);
void *dst = allocateStorage(from.mSize);
if (dst) {
memcpy(dst, from.storage(), mSize);
}
}
MetaData::typed_data &MetaData::typed_data::operator=(
......@@ -253,8 +256,10 @@ MetaData::typed_data &MetaData::typed_data::operator=(
if (this != &from) {
clear();
mType = from.mType;
allocateStorage(from.mSize);
memcpy(storage(), from.storage(), mSize);
void *dst = allocateStorage(from.mSize);
if (dst) {
memcpy(dst, from.storage(), mSize);
}
}
return *this;
......@@ -271,13 +276,11 @@ void MetaData::typed_data::setData(
clear();
mType = type;
allocateStorage(size);
void *dst = storage();
if (!dst) {
ALOGE("Couldn't allocate %zu bytes for item", size);
return;
void *dst = allocateStorage(size);
if (dst) {
memcpy(dst, data, size);
}
memcpy(dst, data, size);
}
void MetaData::typed_data::getData(
......@@ -287,14 +290,19 @@ void MetaData::typed_data::getData(
*data = storage();
}
void MetaData::typed_data::allocateStorage(size_t size) {
void *MetaData::typed_data::allocateStorage(size_t size) {
mSize = size;
if (usesReservoir()) {
return;
return &u.reservoir;
}
u.ext_data = malloc(mSize);
if (u.ext_data == NULL) {
ALOGE("Couldn't allocate %zu bytes for item", size);
mSize = 0;
}
return u.ext_data;
}
void MetaData::typed_data::freeStorage() {
......
......@@ -804,6 +804,12 @@ ID3::getAlbumArt(size_t *length, String8 *mime) const {
size_t descLen = StringSize(&data[2 + mimeLen], encoding);
if (size < 2 ||
size - 2 < mimeLen ||
size - 2 - mimeLen < descLen) {
ALOGW("bogus album art sizes");
return NULL;
}
*length = size - 2 - mimeLen - descLen;
return &data[2 + mimeLen + descLen];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment