MPEG4Extractor: Limit ID3 parsing to chunk_data_size

Instead of allowing ID3 parsing to read entire buffer,
pass a buffer with only relevant chunk_data_size bytes

Test: atest android.media.cts.MediaMetadataRetrieverTest#\
      testID3v2Metadata
Test: poc in bug
Bug: 123237930

Change-Id: I2d6997d16e18d595c5bced02194eb20ab11184e6

media/extractors/mp4/MPEG4Extractor.cpp

@@ -2896,7 +2896,7 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
                 return ERROR_MALFORMED;
             }
 
-            parseID3v2MetaData(data_offset + 6);
+            parseID3v2MetaData(data_offset + 6, chunk_data_size - 6);
 
             break;
         }
@@ -4167,8 +4167,19 @@ status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int dept
     return OK;
 }
 
-void MPEG4Extractor::parseID3v2MetaData(off64_t offset) {
-    ID3 id3(mDataSource, true /* ignorev1 */, offset);
+void MPEG4Extractor::parseID3v2MetaData(off64_t offset, uint64_t size) {
+    uint8_t *buffer = new (std::nothrow) uint8_t[size];
+    if (buffer == NULL) {
+        return;
+    }
+    if (mDataSource->readAt(offset, buffer, size) != (ssize_t)size) {
+        delete[] buffer;
+        buffer = NULL;
+        return;
+    }
+
+    ID3 id3(buffer, size, true /* ignorev1 */);
+    delete[] buffer;
 
     if (id3.isValid()) {
         struct Map {

media/extractors/mp4/MPEG4Extractor.h

@@ -161,7 +161,7 @@ private:
     status_t parseITunesMetaData(off64_t offset, size_t size);
     status_t parseColorInfo(off64_t offset, size_t size);
     status_t parse3GPPMetaData(off64_t offset, size_t size, int depth);
-    void parseID3v2MetaData(off64_t offset);
+    void parseID3v2MetaData(off64_t offset, uint64_t size);
     status_t parseQTMetaKey(off64_t data_offset, size_t data_size);
     status_t parseQTMetaVal(int32_t keyId, off64_t data_offset, size_t data_size);