Prevent integer underflow if size is below 6

When processing 3GPP metadata, a subtraction operation may underflow and lead to a rather large linear byteswap operation in the subsequent framedata decoding code. Bound the 'size' value to prevent this from occurring. Bug: 20923261 Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5 (cherry picked from commit 9458e71)
CyanogenMod · Jul 14, 2015 · d4a13c6 · d4a13c6
1 parent 5fd0cb5
commit d4a13c6
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
@@ -2551,6 +2551,10 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept
         int len16 = 0; // Number of UTF-16 characters
 
         // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00
+        if (size < 6) {
+            return ERROR_MALFORMED;
+        }
+
         if (size - 6 >= 4) {
             len16 = ((size - 6) / 2) - 1; // don't include 0x0000 terminator
             framedata = (char16_t *)(buffer + 6);