Prevent integer underflow if size is below 6 When processing 3GPP metadata, a subtraction operation may underflow and lead to a rather large linear byteswap operation in the subsequent framedata decoding code. Bound the 'size' value to prevent this from occurring. Bug: 20923261 Change-Id: I35dfbc8878c6b65cfe8b8adb7351a77ad4d604e5 (cherry picked from commit 9458e715d391ee8fe455fc31f07ff35ce12e0531)

commit: f4f7e0c102819f039ebb1972b3dba1d3186bc1d1 [log] [tgz]
author: Joshua J. Drake <android-open-source@qoop.org> Mon May 04 17:57:24 2015 -0500
committer: The Android Automerger <android-build@android.com> Thu Jul 09 14:09:57 2015 -0700
tree: 2f76705c51780ee64c76fa80cd7873d077182462
parent: 2674a7218eaa3c87f2ee26d26da5b9170e10f859 [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 850e6af..fe4527d 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -2483,6 +2483,10 @@
         int len16 = 0; // Number of UTF-16 characters
 
         // smallest possible valid UTF-16 string w BOM: 0xfe 0xff 0x00 0x00
+        if (size < 6) {
+            return ERROR_MALFORMED;
+        }
+
         if (size - 6 >= 4) {
             len16 = ((size - 6) / 2) - 1; // don't include 0x0000 terminator
             framedata = (char16_t *)(buffer + 6);
commit	f4f7e0c102819f039ebb1972b3dba1d3186bc1d1	[log] [tgz]
author	Joshua J. Drake <android-open-source@qoop.org>	Mon May 04 17:57:24 2015 -0500
committer	The Android Automerger <android-build@android.com>	Thu Jul 09 14:09:57 2015 -0700
tree	2f76705c51780ee64c76fa80cd7873d077182462
parent	2674a7218eaa3c87f2ee26d26da5b9170e10f859 [diff]