summaryrefslogtreecommitdiffstats
path: root/framesequence
diff options
context:
space:
mode:
authorChris Craik <ccraik@google.com>2014-04-09 16:31:18 -0700
committerChris Craik <ccraik@google.com>2014-04-09 16:31:18 -0700
commit9d34bc31927f47e91ba85980d4d146593cbbe1a8 (patch)
tree77475b21c31843630d8c4cf05680311c822bbd87 /framesequence
parent194dda102240aeeaa30c28f4eda3e1d3ccdb6b03 (diff)
downloadandroid_frameworks_ex-9d34bc31927f47e91ba85980d4d146593cbbe1a8.tar.gz
android_frameworks_ex-9d34bc31927f47e91ba85980d4d146593cbbe1a8.tar.bz2
android_frameworks_ex-9d34bc31927f47e91ba85980d4d146593cbbe1a8.zip
Fix uninitialized read in gif extension reading
Use memcmp instead of strcmp, since string stored in gif may not be null terminated. Additionally, pass the correct carray for releasing the byte array. Change-Id: Icb0260c953377d17b7dd7b4fb021147181cd5df8
Diffstat (limited to 'framesequence')
-rw-r--r--framesequence/jni/FrameSequenceJNI.cpp3
-rw-r--r--framesequence/jni/FrameSequence_gif.cpp12
2 files changed, 7 insertions, 8 deletions
diff --git a/framesequence/jni/FrameSequenceJNI.cpp b/framesequence/jni/FrameSequenceJNI.cpp
index efeed7e..08a73bc 100644
--- a/framesequence/jni/FrameSequenceJNI.cpp
+++ b/framesequence/jni/FrameSequenceJNI.cpp
@@ -53,8 +53,7 @@ static jobject nativeDecodeByteArray(JNIEnv* env, jobject clazz,
"couldn't read array bytes");
return NULL;
}
- bytes += offset;
- MemoryStream stream(bytes, length);
+ MemoryStream stream(bytes + offset, length);
FrameSequence* frameSequence = FrameSequence::create(&stream);
env->ReleasePrimitiveArrayCritical(byteArray, bytes, 0);
return createJavaFrameSequence(env, frameSequence);
diff --git a/framesequence/jni/FrameSequence_gif.cpp b/framesequence/jni/FrameSequence_gif.cpp
index 2402439..daa097b 100644
--- a/framesequence/jni/FrameSequence_gif.cpp
+++ b/framesequence/jni/FrameSequence_gif.cpp
@@ -81,14 +81,14 @@ FrameSequence_gif::FrameSequence_gif(Stream* stream) :
for (int j = 0; (j + 1) < image.ExtensionBlockCount; j++) {
ExtensionBlock* eb1 = image.ExtensionBlocks + j;
ExtensionBlock* eb2 = image.ExtensionBlocks + j + 1;
- if (eb1->Function == APPLICATION_EXT_FUNC_CODE &&
+ if (eb1->Function == APPLICATION_EXT_FUNC_CODE
// look for "NETSCAPE2.0" app extension
- eb1->ByteCount == 11 &&
- !strcmp((const char*)(eb1->Bytes), "NETSCAPE2.0") &&
+ && eb1->ByteCount == 11
+ && !memcmp((const char*)(eb1->Bytes), "NETSCAPE2.0", 11)
// verify extension contents and get loop count
- eb2->Function == CONTINUE_EXT_FUNC_CODE &&
- eb2->ByteCount == 3 &&
- eb2->Bytes[0] == 1) {
+ && eb2->Function == CONTINUE_EXT_FUNC_CODE
+ && eb2->ByteCount == 3
+ && eb2->Bytes[0] == 1) {
mLoopCount = (int)(eb2->Bytes[2] & 0xff) + (int)(eb2->Bytes[1] & 0xff);
}
}