Prevent reading past the end of the buffer in 3GPP

Metadata processed within the parse3GPPMetaData function may not be NUL terminated and thus calling setCString may read out of bounds. Ensure proper NUL termination, but take care not to interfere with other special cases (ie, albm). Bug: 20923261 Change-Id: Ie93b3038b534b4c4460571a68f4d734cff7ad324 (cherry picked from commit 5cea015)
CyanogenMod · Jul 14, 2015 · bdf4a64 · bdf4a64
1 parent d4a13c6
commit bdf4a64
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
@@ -2478,11 +2478,11 @@ status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) {
 }
 
 status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) {
-    if (size < 4) {
+    if (size < 4 || size == SIZE_MAX) {
         return ERROR_MALFORMED;
     }
 
-    uint8_t *buffer = new (std::nothrow) uint8_t[size];
+    uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
     if (buffer == NULL) {
         return ERROR_MALFORMED;
     }
@@ -2578,6 +2578,7 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept
         }
 
         if (isUTF8) {
+            buffer[size] = 0;
             mFileMetaData->setCString(metadataKey, (const char *)buffer + 6);
         } else {
             // Convert from UTF-16 string to UTF-8 string.