Merge "Fix security vulnerability in libstagefright" into klp-dev am: eb37c37c59 am: 883b244f45 am: 31a3aa5628 am: f11141924a am: 64149d756a * commit '64149d756a3b32635247248419778631daf3e294': Fix security vulnerability in libstagefright Change-Id: I114de4c4b430e9fd44d8204dd54db4abd5f29035

commit: 16f7ee09b0ce814c7f45085b095c56ba44ba4133 [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Fri May 13 21:26:13 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Fri May 13 21:26:13 2016 +0000
tree: b8571fb4809b15aad05628dc81bd2aa8cc16906b
parent: 548439e243accefdb42d318175aedd281a225da4 [diff]
parent: 64149d756a3b32635247248419778631daf3e294 [diff]
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 9cb6e86..e2bc89c 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp

@@ -200,7 +200,17 @@
                 continue;
             }
 
-            CHECK(dstOffset + 4 <= (*buffer)->size());
+            if (dstOffset > SIZE_MAX - 4 ||
+                dstOffset + 4 > SIZE_MAX - nalLength ||
+                dstOffset + 4 + nalLength > (*buffer)->size()) {
+                (*buffer)->release();
+                (*buffer) = NULL;
+                if (decryptedDrmBuffer.data) {
+                    delete [] decryptedDrmBuffer.data;
+                    decryptedDrmBuffer.data = NULL;
+                }
+                return ERROR_MALFORMED;
+            }
 
             dstData[dstOffset++] = 0;
             dstData[dstOffset++] = 0;
commit	16f7ee09b0ce814c7f45085b095c56ba44ba4133	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Fri May 13 21:26:13 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Fri May 13 21:26:13 2016 +0000
tree	b8571fb4809b15aad05628dc81bd2aa8cc16906b
parent	548439e243accefdb42d318175aedd281a225da4 [diff]
parent	64149d756a3b32635247248419778631daf3e294 [diff]