Merge "Fix security vulnerability in libstagefright" into klp-dev am: eb37c37c59 am: 883b244f45 am: 31a3aa5628 am: f11141924a am: 64149d756a am: 16f7ee09b0 am: f518e50178 am: eb919fc1d3 am: 7e580879e0 am: a78d7f2d49 * commit 'a78d7f2d49d1d4ca2bf64e4f64ebcc16a008987b': Fix security vulnerability in libstagefright Change-Id: I12f1c1c266ae15813bcc2b132b79d0fd8ddeab5c

commit: e47ede5c6b67d042a116cca99fd9cb73af84362b [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Fri May 13 21:42:41 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Fri May 13 21:42:41 2016 +0000
tree: f79c7ace74470b107593b906939e75081e4fd70a
parent: ec5e9c0f9911e280ba8344a40891b7a12a67ec34 [diff]
parent: a78d7f2d49d1d4ca2bf64e4f64ebcc16a008987b [diff]
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 9cb6e86..e2bc89c 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp

@@ -200,7 +200,17 @@
                 continue;
             }
 
-            CHECK(dstOffset + 4 <= (*buffer)->size());
+            if (dstOffset > SIZE_MAX - 4 ||
+                dstOffset + 4 > SIZE_MAX - nalLength ||
+                dstOffset + 4 + nalLength > (*buffer)->size()) {
+                (*buffer)->release();
+                (*buffer) = NULL;
+                if (decryptedDrmBuffer.data) {
+                    delete [] decryptedDrmBuffer.data;
+                    decryptedDrmBuffer.data = NULL;
+                }
+                return ERROR_MALFORMED;
+            }
 
             dstData[dstOffset++] = 0;
             dstData[dstOffset++] = 0;
commit	e47ede5c6b67d042a116cca99fd9cb73af84362b	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Fri May 13 21:42:41 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Fri May 13 21:42:41 2016 +0000
tree	f79c7ace74470b107593b906939e75081e4fd70a
parent	ec5e9c0f9911e280ba8344a40891b7a12a67ec34 [diff]
parent	a78d7f2d49d1d4ca2bf64e4f64ebcc16a008987b [diff]