diff options
author | Marco Nelissen <marcone@google.com> | 2017-10-09 14:59:43 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2018-01-10 22:45:21 +0100 |
commit | 80de27ec697625eb965893bbeced75214b998bca (patch) | |
tree | 5004fd2615e5713bc6a9d967559a95db3e6a2d9e | |
parent | 9d0749abe3fdc6d79599b57fe3ecbe6fa1a3e990 (diff) | |
download | frameworks_av-80de27ec697625eb965893bbeced75214b998bca.tar.gz frameworks_av-80de27ec697625eb965893bbeced75214b998bca.tar.bz2 frameworks_av-80de27ec697625eb965893bbeced75214b998bca.zip |
Fix edge case when applying id3 unsynchronization
Bug: 63100526
Test: opened poc, other files
Change-Id: I0a51a2a11d0ea84ede0c075de650a7118f0e00c5
(cherry picked from commit 3e70296461c5f260988ab21854a6f43fdafea764)
CVE-2017-13200
-rw-r--r-- | media/libstagefright/id3/ID3.cpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp index fee13eac66..ed52b12d88 100644 --- a/media/libstagefright/id3/ID3.cpp +++ b/media/libstagefright/id3/ID3.cpp @@ -392,7 +392,12 @@ bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) { --mSize; --dataSize; } - mData[writeOffset++] = mData[readOffset++]; + if (i + 1 < dataSize) { + // Only move data if there's actually something to move. + // This handles the special case of the data being only [0xff, 0x00] + // which should be converted to just 0xff if unsynchronization is on. + mData[writeOffset++] = mData[readOffset++]; + } } // move the remaining data following this frame if (readOffset <= oldSize) { |