From c2eeb2f52ed907d9502981759e9f30c35cea683d Mon Sep 17 00:00:00 2001
From: Andreas Huber <andih@google.com>
Date: Mon, 29 Mar 2010 15:13:40 -0700
Subject: [PATCH] Limit the total amount of ID3 metadata to something
 (un-)reasonable: 3MB.

Change-Id: I3f9bbcdd4f563bac27c4ccae58e4179656c264b6
related-to-bug: 1903971
---
 media/libstagefright/id3/ID3.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/media/libstagefright/id3/ID3.cpp b/media/libstagefright/id3/ID3.cpp
index b2632387e7e4e..d688e2ccf16e1 100644
--- a/media/libstagefright/id3/ID3.cpp
+++ b/media/libstagefright/id3/ID3.cpp
@@ -28,6 +28,8 @@
 
 namespace android {
 
+static const size_t kMaxMetadataSize = 3 * 1024 * 1024;
+
 ID3::ID3(const sp<DataSource> &source)
     : mIsValid(false),
       mData(NULL),
@@ -111,6 +113,11 @@ bool ID3::parseV2(const sp<DataSource> &source) {
         size = (size << 7) | header.enc_size[i];
     }
 
+    if (size > kMaxMetadataSize) {
+        LOGE("skipping huge ID3 metadata of size %d", size);
+        return false;
+    }
+
     mData = (uint8_t *)malloc(size);
 
     if (mData == NULL) {