1 /*
2  * Copyright (C) 2010 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "ID3"
19 #include <utils/Log.h>
20 
21 #include "../include/ID3.h"
22 
23 #include <media/DataSource.h>
24 #include <media/MediaExtractorPluginApi.h>
25 #include <media/MediaExtractorPluginHelper.h>
26 #include <media/stagefright/foundation/ADebug.h>
27 #include <media/stagefright/foundation/ByteUtils.h>
28 #include <utils/String8.h>
29 #include <byteswap.h>
30 
31 namespace android {
32 
33 static const size_t kMaxMetadataSize = 3 * 1024 * 1024;
34 
35 struct MemorySource : public DataSourceBase {
MemorySourceandroid::MemorySource36     MemorySource(const uint8_t *data, size_t size)
37         : mData(data),
38           mSize(size) {
39     }
40 
initCheckandroid::MemorySource41     virtual status_t initCheck() const {
42         return OK;
43     }
44 
readAtandroid::MemorySource45     virtual ssize_t readAt(off64_t offset, void *data, size_t size) {
46         off64_t available = (offset >= (off64_t)mSize) ? 0LL : mSize - offset;
47 
48         size_t copy = (available > (off64_t)size) ? size : available;
49         memcpy(data, mData + offset, copy);
50 
51         return copy;
52     }
53 
54 private:
55     const uint8_t *mData;
56     size_t mSize;
57 
58     DISALLOW_EVIL_CONSTRUCTORS(MemorySource);
59 };
60 
61 class DataSourceUnwrapper : public DataSourceBase {
62 
63 public:
DataSourceUnwrapper(DataSourceHelper * sourcehelper)64     explicit DataSourceUnwrapper(DataSourceHelper *sourcehelper) {
65         mSource = sourcehelper;
66     }
initCheck() const67     virtual status_t initCheck() const { return OK; }
68 
69     // Returns the number of bytes read, or -1 on failure. It's not an error if
70     // this returns zero; it just means the given offset is equal to, or
71     // beyond, the end of the source.
readAt(off64_t offset,void * data,size_t size)72     virtual ssize_t readAt(off64_t offset, void *data, size_t size) {
73         return mSource->readAt(offset, data, size);
74     }
75 
76     // May return ERROR_UNSUPPORTED.
getSize(off64_t * size)77     virtual status_t getSize(off64_t *size) {
78         return mSource->getSize(size);
79     }
80 
getUri(char *,size_t)81     virtual bool getUri(char * /*uriString*/, size_t /*bufferSize*/) {
82         return false;
83     }
84 
flags()85     virtual uint32_t flags() {
86         return 0;
87     }
88 
close()89     virtual void close() {};
90 private:
91     DataSourceHelper *mSource;
92 };
93 
94 
ID3(DataSourceHelper * sourcehelper,bool ignoreV1,off64_t offset)95 ID3::ID3(DataSourceHelper *sourcehelper, bool ignoreV1, off64_t offset)
96     : mIsValid(false),
97       mData(NULL),
98       mSize(0),
99       mFirstFrameOffset(0),
100       mVersion(ID3_UNKNOWN),
101       mRawSize(0) {
102     DataSourceUnwrapper source(sourcehelper);
103     mIsValid = parseV2(&source, offset);
104 
105     if (!mIsValid && !ignoreV1) {
106         mIsValid = parseV1(&source);
107     }
108 }
109 
ID3(DataSourceBase * source,bool ignoreV1,off64_t offset)110 ID3::ID3(DataSourceBase *source, bool ignoreV1, off64_t offset)
111     : mIsValid(false),
112       mData(NULL),
113       mSize(0),
114       mFirstFrameOffset(0),
115       mVersion(ID3_UNKNOWN),
116       mRawSize(0) {
117     mIsValid = parseV2(source, offset);
118 
119     if (!mIsValid && !ignoreV1) {
120         mIsValid = parseV1(source);
121     }
122 }
123 
ID3(const uint8_t * data,size_t size,bool ignoreV1)124 ID3::ID3(const uint8_t *data, size_t size, bool ignoreV1)
125     : mIsValid(false),
126       mData(NULL),
127       mSize(0),
128       mFirstFrameOffset(0),
129       mVersion(ID3_UNKNOWN),
130       mRawSize(0) {
131     MemorySource *source = new (std::nothrow) MemorySource(data, size);
132 
133     if (source == NULL)
134         return;
135 
136     mIsValid = parseV2(source, 0);
137 
138     if (!mIsValid && !ignoreV1) {
139         mIsValid = parseV1(source);
140     }
141     delete source;
142 }
143 
~ID3()144 ID3::~ID3() {
145     if (mData) {
146         free(mData);
147         mData = NULL;
148     }
149 }
150 
isValid() const151 bool ID3::isValid() const {
152     return mIsValid;
153 }
154 
version() const155 ID3::Version ID3::version() const {
156     return mVersion;
157 }
158 
159 // static
ParseSyncsafeInteger(const uint8_t encoded[4],size_t * x)160 bool ID3::ParseSyncsafeInteger(const uint8_t encoded[4], size_t *x) {
161     *x = 0;
162     for (int32_t i = 0; i < 4; ++i) {
163         if (encoded[i] & 0x80) {
164             return false;
165         }
166 
167         *x = ((*x) << 7) | encoded[i];
168     }
169 
170     return true;
171 }
172 
parseV2(DataSourceBase * source,off64_t offset)173 bool ID3::parseV2(DataSourceBase *source, off64_t offset) {
174 struct id3_header {
175     char id[3];
176     uint8_t version_major;
177     uint8_t version_minor;
178     uint8_t flags;
179     uint8_t enc_size[4];
180     };
181 
182     id3_header header;
183     if (source->readAt(
184                 offset, &header, sizeof(header)) != (ssize_t)sizeof(header)) {
185         return false;
186     }
187 
188     if (memcmp(header.id, "ID3", 3)) {
189         return false;
190     }
191 
192     if (header.version_major == 0xff || header.version_minor == 0xff) {
193         return false;
194     }
195 
196     if (header.version_major == 2) {
197         if (header.flags & 0x3f) {
198             // We only support the 2 high bits, if any of the lower bits are
199             // set, we cannot guarantee to understand the tag format.
200             return false;
201         }
202 
203         if (header.flags & 0x40) {
204             // No compression scheme has been decided yet, ignore the
205             // tag if compression is indicated.
206 
207             return false;
208         }
209     } else if (header.version_major == 3) {
210         if (header.flags & 0x1f) {
211             // We only support the 3 high bits, if any of the lower bits are
212             // set, we cannot guarantee to understand the tag format.
213             return false;
214         }
215     } else if (header.version_major == 4) {
216         if (header.flags & 0x0f) {
217             // The lower 4 bits are undefined in this spec.
218             return false;
219         }
220     } else {
221         return false;
222     }
223 
224     size_t size;
225     if (!ParseSyncsafeInteger(header.enc_size, &size)) {
226         return false;
227     }
228 
229     if (size > kMaxMetadataSize) {
230         ALOGE("skipping huge ID3 metadata of size %zu", size);
231         return false;
232     }
233 
234     mData = (uint8_t *)malloc(size);
235 
236     if (mData == NULL) {
237         return false;
238     }
239 
240     mSize = size;
241     mRawSize = mSize + sizeof(header);
242 
243     if (source->readAt(offset + sizeof(header), mData, mSize) != (ssize_t)mSize) {
244         free(mData);
245         mData = NULL;
246 
247         return false;
248     }
249 
250     if (header.version_major == 4) {
251         void *copy = malloc(size);
252         if (copy == NULL) {
253             free(mData);
254             mData = NULL;
255             ALOGE("b/24623447, no more memory");
256             return false;
257         }
258 
259         memcpy(copy, mData, size);
260 
261         bool success = removeUnsynchronizationV2_4(false /* iTunesHack */);
262         if (!success) {
263             memcpy(mData, copy, size);
264             mSize = size;
265 
266             success = removeUnsynchronizationV2_4(true /* iTunesHack */);
267 
268             if (success) {
269                 ALOGV("Had to apply the iTunes hack to parse this ID3 tag");
270             }
271         }
272 
273         free(copy);
274         copy = NULL;
275 
276         if (!success) {
277             free(mData);
278             mData = NULL;
279 
280             return false;
281         }
282     } else if (header.flags & 0x80) {
283         ALOGV("removing unsynchronization");
284 
285         removeUnsynchronization();
286     }
287 
288     mFirstFrameOffset = 0;
289     if (header.version_major == 3 && (header.flags & 0x40)) {
290         // Version 2.3 has an optional extended header.
291 
292         if (mSize < 4) {
293             free(mData);
294             mData = NULL;
295 
296             return false;
297         }
298 
299         size_t extendedHeaderSize = U32_AT(&mData[0]);
300         if (extendedHeaderSize > SIZE_MAX - 4) {
301             free(mData);
302             mData = NULL;
303             ALOGE("b/24623447, extendedHeaderSize is too large");
304             return false;
305         }
306         extendedHeaderSize += 4;
307 
308         if (extendedHeaderSize > mSize) {
309             free(mData);
310             mData = NULL;
311 
312             return false;
313         }
314 
315         mFirstFrameOffset = extendedHeaderSize;
316 
317         uint16_t extendedFlags = 0;
318         if (extendedHeaderSize >= 6) {
319             extendedFlags = U16_AT(&mData[4]);
320 
321             if (extendedHeaderSize >= 10) {
322                 size_t paddingSize = U32_AT(&mData[6]);
323 
324                 if (paddingSize > SIZE_MAX - mFirstFrameOffset) {
325                     ALOGE("b/24623447, paddingSize is too large");
326                 }
327                 if (paddingSize > mSize - mFirstFrameOffset) {
328                     free(mData);
329                     mData = NULL;
330 
331                     return false;
332                 }
333 
334                 mSize -= paddingSize;
335             }
336 
337             if (extendedFlags & 0x8000) {
338                 ALOGV("have crc");
339             }
340         }
341     } else if (header.version_major == 4 && (header.flags & 0x40)) {
342         // Version 2.4 has an optional extended header, that's different
343         // from Version 2.3's...
344 
345         if (mSize < 4) {
346             free(mData);
347             mData = NULL;
348 
349             return false;
350         }
351 
352         size_t ext_size;
353         if (!ParseSyncsafeInteger(mData, &ext_size)) {
354             free(mData);
355             mData = NULL;
356 
357             return false;
358         }
359 
360         if (ext_size < 6 || ext_size > mSize) {
361             free(mData);
362             mData = NULL;
363 
364             return false;
365         }
366 
367         mFirstFrameOffset = ext_size;
368     }
369 
370     if (header.version_major == 2) {
371         mVersion = ID3_V2_2;
372     } else if (header.version_major == 3) {
373         mVersion = ID3_V2_3;
374     } else {
375         CHECK_EQ(header.version_major, 4);
376         mVersion = ID3_V2_4;
377     }
378 
379     return true;
380 }
381 
removeUnsynchronization()382 void ID3::removeUnsynchronization() {
383 
384     // This file has "unsynchronization", so we have to replace occurrences
385     // of 0xff 0x00 with just 0xff in order to get the real data.
386 
387     size_t writeOffset = 1;
388     for (size_t readOffset = 1; readOffset < mSize; ++readOffset) {
389         if (mData[readOffset - 1] == 0xff && mData[readOffset] == 0x00) {
390             continue;
391         }
392         // Only move data if there's actually something to move.
393         // This handles the special case of the data being only [0xff, 0x00]
394         // which should be converted to just 0xff if unsynchronization is on.
395         mData[writeOffset++] = mData[readOffset];
396     }
397 
398     if (writeOffset < mSize) {
399         mSize = writeOffset;
400     }
401 
402 }
403 
WriteSyncsafeInteger(uint8_t * dst,size_t x)404 static void WriteSyncsafeInteger(uint8_t *dst, size_t x) {
405     for (size_t i = 0; i < 4; ++i) {
406         dst[3 - i] = (x & 0x7f);
407         x >>= 7;
408     }
409 }
410 
removeUnsynchronizationV2_4(bool iTunesHack)411 bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
412     size_t oldSize = mSize;
413 
414     size_t offset = 0;
415     while (mSize >= 10 && offset <= mSize - 10) {
416         if (!memcmp(&mData[offset], "\0\0\0\0", 4)) {
417             break;
418         }
419 
420         size_t dataSize;
421         if (iTunesHack) {
422             dataSize = U32_AT(&mData[offset + 4]);
423         } else if (!ParseSyncsafeInteger(&mData[offset + 4], &dataSize)) {
424             return false;
425         }
426 
427         if (dataSize > mSize - 10 - offset) {
428             return false;
429         }
430 
431         uint16_t flags = U16_AT(&mData[offset + 8]);
432         uint16_t prevFlags = flags;
433 
434         if (flags & 1) {
435             // Strip data length indicator
436 
437             if (mSize < 14 || mSize - 14 < offset || dataSize < 4) {
438                 return false;
439             }
440             memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
441             mSize -= 4;
442             dataSize -= 4;
443 
444             flags &= ~1;
445         }
446 
447         if ((flags & 2) && (dataSize >= 2)) {
448             // This file has "unsynchronization", so we have to replace occurrences
449             // of 0xff 0x00 with just 0xff in order to get the real data.
450 
451             size_t readOffset = offset + 11;
452             size_t writeOffset = offset + 11;
453             for (size_t i = 0; i + 1 < dataSize; ++i) {
454                 if (mData[readOffset - 1] == 0xff
455                         && mData[readOffset] == 0x00) {
456                     ++readOffset;
457                     --mSize;
458                     --dataSize;
459                 }
460                 if (i + 1 < dataSize) {
461                     // Only move data if there's actually something to move.
462                     // This handles the special case of the data being only [0xff, 0x00]
463                     // which should be converted to just 0xff if unsynchronization is on.
464                     mData[writeOffset++] = mData[readOffset++];
465                 }
466             }
467             // move the remaining data following this frame
468             if (readOffset <= oldSize) {
469                 memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
470             } else {
471                 ALOGE("b/34618607 (%zu %zu %zu %zu)", readOffset, writeOffset, oldSize, mSize);
472                 android_errorWriteLog(0x534e4554, "34618607");
473             }
474 
475         }
476         flags &= ~2;
477         if (flags != prevFlags || iTunesHack) {
478             WriteSyncsafeInteger(&mData[offset + 4], dataSize);
479             mData[offset + 8] = flags >> 8;
480             mData[offset + 9] = flags & 0xff;
481         }
482 
483         offset += 10 + dataSize;
484     }
485 
486     memset(&mData[mSize], 0, oldSize - mSize);
487 
488     return true;
489 }
490 
Iterator(const ID3 & parent,const char * id)491 ID3::Iterator::Iterator(const ID3 &parent, const char *id)
492     : mParent(parent),
493       mID(NULL),
494       mOffset(mParent.mFirstFrameOffset),
495       mFrameData(NULL),
496       mFrameSize(0) {
497     if (id) {
498         mID = strdup(id);
499     }
500 
501     findFrame();
502 }
503 
~Iterator()504 ID3::Iterator::~Iterator() {
505     if (mID) {
506         free(mID);
507         mID = NULL;
508     }
509 }
510 
done() const511 bool ID3::Iterator::done() const {
512     return mFrameData == NULL;
513 }
514 
next()515 void ID3::Iterator::next() {
516     if (mFrameData == NULL) {
517         return;
518     }
519 
520     mOffset += mFrameSize;
521 
522     findFrame();
523 }
524 
getID(String8 * id) const525 void ID3::Iterator::getID(String8 *id) const {
526     id->setTo("");
527 
528     if (mFrameData == NULL) {
529         return;
530     }
531 
532     if (mParent.mVersion == ID3_V2_2) {
533         id->setTo((const char *)&mParent.mData[mOffset], 3);
534     } else if (mParent.mVersion == ID3_V2_3 || mParent.mVersion == ID3_V2_4) {
535         id->setTo((const char *)&mParent.mData[mOffset], 4);
536     } else {
537         CHECK(mParent.mVersion == ID3_V1 || mParent.mVersion == ID3_V1_1);
538 
539         switch (mOffset) {
540             case 3:
541                 id->setTo("TT2");
542                 break;
543             case 33:
544                 id->setTo("TP1");
545                 break;
546             case 63:
547                 id->setTo("TAL");
548                 break;
549             case 93:
550                 id->setTo("TYE");
551                 break;
552             case 97:
553                 id->setTo("COM");
554                 break;
555             case 126:
556                 id->setTo("TRK");
557                 break;
558             case 127:
559                 id->setTo("TCO");
560                 break;
561             default:
562                 CHECK(!"should not be here.");
563                 break;
564         }
565     }
566 }
567 
568 
569 // the 2nd argument is used to get the data following the \0 in a comment field
getString(String8 * id,String8 * comment) const570 void ID3::Iterator::getString(String8 *id, String8 *comment) const {
571     getstring(id, false);
572     if (comment != NULL) {
573         getstring(comment, true);
574     }
575 }
576 
577 // comment fields (COM/COMM) contain an initial short descriptor, followed by \0,
578 // followed by more data. The data following the \0 can be retrieved by setting
579 // "otherdata" to true.
getstring(String8 * id,bool otherdata) const580 void ID3::Iterator::getstring(String8 *id, bool otherdata) const {
581     id->setTo("");
582 
583     const uint8_t *frameData = mFrameData;
584     if (frameData == NULL) {
585         return;
586     }
587 
588     uint8_t encoding = *frameData;
589 
590     if (mParent.mVersion == ID3_V1 || mParent.mVersion == ID3_V1_1) {
591         if (mOffset == 126 || mOffset == 127) {
592             // Special treatment for the track number and genre.
593             char tmp[16];
594             snprintf(tmp, sizeof(tmp), "%d", (int)*frameData);
595 
596             id->setTo(tmp);
597             return;
598         }
599 
600         // this is supposed to be ISO-8859-1, but pass it up as-is to the caller, who will figure
601         // out the real encoding
602         id->setTo((const char*)frameData, mFrameSize);
603         return;
604     }
605 
606     if (mFrameSize < getHeaderLength() + 1) {
607         return;
608     }
609     size_t n = mFrameSize - getHeaderLength() - 1;
610     if (otherdata) {
611         if (n < 5) {
612             return;
613         }
614         // skip past the encoding, language, and the 0 separator
615         frameData += 4;
616         int32_t i = n - 4;
617         while(--i >= 0 && *++frameData != 0) ;
618         int skipped = (frameData - mFrameData);
619         if (skipped >= (int)n) {
620             return;
621         }
622         n -= skipped;
623     }
624 
625     if (n <= 0) {
626        return;
627     }
628 
629     if (encoding == 0x00) {
630         // supposedly ISO 8859-1
631         id->setTo((const char*)frameData + 1, n);
632     } else if (encoding == 0x03) {
633         // supposedly UTF-8
634         id->setTo((const char *)(frameData + 1), n);
635     } else if (encoding == 0x02) {
636         // supposedly UTF-16 BE, no byte order mark.
637         // API wants number of characters, not number of bytes...
638         int len = n / 2;
639         const char16_t *framedata = (const char16_t *) (frameData + 1);
640         char16_t *framedatacopy = NULL;
641 #if BYTE_ORDER == LITTLE_ENDIAN
642         if (len > 0) {
643             framedatacopy = new (std::nothrow) char16_t[len];
644             if (framedatacopy == NULL) {
645                 return;
646             }
647             for (int i = 0; i < len; i++) {
648                 framedatacopy[i] = bswap_16(framedata[i]);
649             }
650             framedata = framedatacopy;
651         }
652 #endif
653         id->setTo(framedata, len);
654         if (framedatacopy != NULL) {
655             delete[] framedatacopy;
656         }
657     } else if (encoding == 0x01) {
658         // UCS-2
659         // API wants number of characters, not number of bytes...
660         int len = n / 2;
661         if (len == 0) {
662             return;
663         }
664         const char16_t *framedata = (const char16_t *) (frameData + 1);
665         char16_t *framedatacopy = NULL;
666         if (*framedata == 0xfffe) {
667             // endianness marker != host endianness, convert & skip
668             if (len <= 1) {
669                 return;         // nothing after the marker
670             }
671             framedatacopy = new (std::nothrow) char16_t[len];
672             if (framedatacopy == NULL) {
673                 return;
674             }
675             for (int i = 0; i < len; i++) {
676                 framedatacopy[i] = bswap_16(framedata[i]);
677             }
678             framedata = framedatacopy;
679             // and skip over the marker
680             framedata++;
681             len--;
682         } else if (*framedata == 0xfeff) {
683             // endianness marker == host endianness, skip it
684             if (len <= 1) {
685                 return;         // nothing after the marker
686             }
687             framedata++;
688             len--;
689         }
690 
691         // check if the resulting data consists entirely of 8-bit values
692         bool eightBit = true;
693         for (int i = 0; i < len; i++) {
694             if (framedata[i] > 0xff) {
695                 eightBit = false;
696                 break;
697             }
698         }
699         if (eightBit) {
700             // collapse to 8 bit, then let the media scanner client figure out the real encoding
701             char *frame8 = new (std::nothrow) char[len];
702             if (frame8 != NULL) {
703                 for (int i = 0; i < len; i++) {
704                     frame8[i] = framedata[i];
705                 }
706                 id->setTo(frame8, len);
707                 delete [] frame8;
708             } else {
709                 id->setTo(framedata, len);
710             }
711         } else {
712             id->setTo(framedata, len);
713         }
714 
715         if (framedatacopy != NULL) {
716             delete[] framedatacopy;
717         }
718     }
719 }
720 
getData(size_t * length) const721 const uint8_t *ID3::Iterator::getData(size_t *length) const {
722     *length = 0;
723 
724     if (mFrameData == NULL) {
725         return NULL;
726     }
727 
728     // Prevent integer underflow
729     if (mFrameSize < getHeaderLength()) {
730         return NULL;
731     }
732 
733     *length = mFrameSize - getHeaderLength();
734 
735     return mFrameData;
736 }
737 
getHeaderLength() const738 size_t ID3::Iterator::getHeaderLength() const {
739     if (mParent.mVersion == ID3_V2_2) {
740         return 6;
741     } else if (mParent.mVersion == ID3_V2_3 || mParent.mVersion == ID3_V2_4) {
742         return 10;
743     } else {
744         CHECK(mParent.mVersion == ID3_V1 || mParent.mVersion == ID3_V1_1);
745         return 0;
746     }
747 }
748 
findFrame()749 void ID3::Iterator::findFrame() {
750     for (;;) {
751         mFrameData = NULL;
752         mFrameSize = 0;
753 
754         if (mParent.mVersion == ID3_V2_2) {
755             if (mOffset + 6 > mParent.mSize) {
756                 return;
757             }
758 
759             if (!memcmp(&mParent.mData[mOffset], "\0\0\0", 3)) {
760                 return;
761             }
762 
763             mFrameSize =
764                 (mParent.mData[mOffset + 3] << 16)
765                 | (mParent.mData[mOffset + 4] << 8)
766                 | mParent.mData[mOffset + 5];
767 
768             if (mFrameSize == 0) {
769                 return;
770             }
771             mFrameSize += 6; // add tag id and size field
772 
773             // Prevent integer overflow in validation
774             if (SIZE_MAX - mOffset <= mFrameSize) {
775                 return;
776             }
777 
778             if (mOffset + mFrameSize > mParent.mSize) {
779                 ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
780                     mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)6);
781                 return;
782             }
783 
784             mFrameData = &mParent.mData[mOffset + 6];
785 
786             if (!mID) {
787                 break;
788             }
789 
790             char id[4];
791             memcpy(id, &mParent.mData[mOffset], 3);
792             id[3] = '\0';
793 
794             if (!strcmp(id, mID)) {
795                 break;
796             }
797         } else if (mParent.mVersion == ID3_V2_3
798                 || mParent.mVersion == ID3_V2_4) {
799             if (mOffset + 10 > mParent.mSize) {
800                 return;
801             }
802 
803             if (!memcmp(&mParent.mData[mOffset], "\0\0\0\0", 4)) {
804                 return;
805             }
806 
807             size_t baseSize = 0;
808             if (mParent.mVersion == ID3_V2_4) {
809                 if (!ParseSyncsafeInteger(
810                             &mParent.mData[mOffset + 4], &baseSize)) {
811                     return;
812                 }
813             } else {
814                 baseSize = U32_AT(&mParent.mData[mOffset + 4]);
815             }
816 
817             if (baseSize == 0) {
818                 return;
819             }
820 
821             // Prevent integer overflow when adding
822             if (SIZE_MAX - 10 <= baseSize) {
823                 return;
824             }
825 
826             mFrameSize = 10 + baseSize; // add tag id, size field and flags
827 
828             // Prevent integer overflow in validation
829             if (SIZE_MAX - mOffset <= mFrameSize) {
830                 return;
831             }
832 
833             if (mOffset + mFrameSize > mParent.mSize) {
834                 ALOGV("partial frame at offset %zu (size = %zu, bytes-remaining = %zu)",
835                     mOffset, mFrameSize, mParent.mSize - mOffset - (size_t)10);
836                 return;
837             }
838 
839             uint16_t flags = U16_AT(&mParent.mData[mOffset + 8]);
840 
841             if ((mParent.mVersion == ID3_V2_4 && (flags & 0x000c))
842                 || (mParent.mVersion == ID3_V2_3 && (flags & 0x00c0))) {
843                 // Compression or encryption are not supported at this time.
844                 // Per-frame unsynchronization and data-length indicator
845                 // have already been taken care of.
846 
847                 ALOGV("Skipping unsupported frame (compression, encryption "
848                      "or per-frame unsynchronization flagged");
849 
850                 mOffset += mFrameSize;
851                 continue;
852             }
853 
854             mFrameData = &mParent.mData[mOffset + 10];
855 
856             if (!mID) {
857                 break;
858             }
859 
860             char id[5];
861             memcpy(id, &mParent.mData[mOffset], 4);
862             id[4] = '\0';
863 
864             if (!strcmp(id, mID)) {
865                 break;
866             }
867         } else {
868             CHECK(mParent.mVersion == ID3_V1 || mParent.mVersion == ID3_V1_1);
869 
870             if (mOffset >= mParent.mSize) {
871                 return;
872             }
873 
874             mFrameData = &mParent.mData[mOffset];
875 
876             switch (mOffset) {
877                 case 3:
878                 case 33:
879                 case 63:
880                     mFrameSize = 30;
881                     break;
882                 case 93:
883                     mFrameSize = 4;
884                     break;
885                 case 97:
886                     if (mParent.mVersion == ID3_V1) {
887                         mFrameSize = 30;
888                     } else {
889                         mFrameSize = 29;
890                     }
891                     break;
892                 case 126:
893                     mFrameSize = 1;
894                     break;
895                 case 127:
896                     mFrameSize = 1;
897                     break;
898                 default:
899                     CHECK(!"Should not be here, invalid offset.");
900                     break;
901             }
902 
903             if (!mID) {
904                 break;
905             }
906 
907             String8 id;
908             getID(&id);
909 
910             if (id == mID) {
911                 break;
912             }
913         }
914 
915         mOffset += mFrameSize;
916     }
917 }
918 
919 // return includes terminator;  if unterminated, returns > limit
StringSize(const uint8_t * start,size_t limit,uint8_t encoding)920 static size_t StringSize(const uint8_t *start, size_t limit, uint8_t encoding) {
921 
922     if (encoding == 0x00 || encoding == 0x03) {
923         // ISO 8859-1 or UTF-8
924         return strnlen((const char *)start, limit) + 1;
925     }
926 
927     // UCS-2
928     size_t n = 0;
929     while ((n+1 < limit) && (start[n] != '\0' || start[n + 1] != '\0')) {
930         n += 2;
931     }
932     n += 2;
933     return n;
934 }
935 
936 const void *
getAlbumArt(size_t * length,String8 * mime) const937 ID3::getAlbumArt(size_t *length, String8 *mime) const {
938     *length = 0;
939     mime->setTo("");
940 
941     Iterator it(
942             *this,
943             (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) ? "APIC" : "PIC");
944 
945     while (!it.done()) {
946         size_t size;
947         const uint8_t *data = it.getData(&size);
948         if (!data) {
949             return NULL;
950         }
951 
952         if (mVersion == ID3_V2_3 || mVersion == ID3_V2_4) {
953             uint8_t encoding = data[0];
954             size_t consumed = 1;
955 
956             // *always* in an 8-bit encoding
957             size_t mimeLen = StringSize(&data[consumed], size - consumed, 0x00);
958             if (mimeLen > size - consumed) {
959                 ALOGW("bogus album art size: mime");
960                 return NULL;
961             }
962             mime->setTo((const char *)&data[consumed]);
963             consumed += mimeLen;
964 
965 #if 0
966             uint8_t picType = data[consumed];
967             if (picType != 0x03) {
968                 // Front Cover Art
969                 it.next();
970                 continue;
971             }
972 #endif
973 
974             consumed++;
975             if (consumed >= size) {
976                 ALOGW("bogus album art size: pic type");
977                 return NULL;
978             }
979 
980             size_t descLen = StringSize(&data[consumed], size - consumed, encoding);
981             consumed += descLen;
982 
983             if (consumed >= size) {
984                 ALOGW("bogus album art size: description");
985                 return NULL;
986             }
987 
988             *length = size - consumed;
989 
990             return &data[consumed];
991         } else {
992             uint8_t encoding = data[0];
993 
994             if (size <= 5) {
995                 return NULL;
996             }
997 
998             if (!memcmp(&data[1], "PNG", 3)) {
999                 mime->setTo("image/png");
1000             } else if (!memcmp(&data[1], "JPG", 3)) {
1001                 mime->setTo("image/jpeg");
1002             } else if (!memcmp(&data[1], "-->", 3)) {
1003                 mime->setTo("text/plain");
1004             } else {
1005                 return NULL;
1006             }
1007 
1008 #if 0
1009             uint8_t picType = data[4];
1010             if (picType != 0x03) {
1011                 // Front Cover Art
1012                 it.next();
1013                 continue;
1014             }
1015 #endif
1016 
1017             size_t descLen = StringSize(&data[5], size - 5, encoding);
1018             if (descLen > size - 5) {
1019                 return NULL;
1020             }
1021 
1022             *length = size - 5 - descLen;
1023 
1024             return &data[5 + descLen];
1025         }
1026     }
1027 
1028     return NULL;
1029 }
1030 
parseV1(DataSourceBase * source)1031 bool ID3::parseV1(DataSourceBase *source) {
1032     const size_t V1_TAG_SIZE = 128;
1033 
1034     off64_t size;
1035     if (source->getSize(&size) != OK || size < (off64_t)V1_TAG_SIZE) {
1036         return false;
1037     }
1038 
1039     mData = (uint8_t *)malloc(V1_TAG_SIZE);
1040     if (source->readAt(size - V1_TAG_SIZE, mData, V1_TAG_SIZE)
1041             != (ssize_t)V1_TAG_SIZE) {
1042         free(mData);
1043         mData = NULL;
1044 
1045         return false;
1046     }
1047 
1048     if (memcmp("TAG", mData, 3)) {
1049         free(mData);
1050         mData = NULL;
1051 
1052         return false;
1053     }
1054 
1055     mSize = V1_TAG_SIZE;
1056     mFirstFrameOffset = 3;
1057 
1058     if (mData[V1_TAG_SIZE - 3] != 0) {
1059         mVersion = ID3_V1;
1060     } else {
1061         mVersion = ID3_V1_1;
1062     }
1063 
1064     return true;
1065 }
1066 
1067 }  // namespace android
1068