commit 0071d87e243d5f1612dc1e31b4caa1fe191fea90
author Robert Shih <robertshih@google.com> Thu Jul 16 15:04:12 2015 -0700
committer The Android Automerger <android-build@android.com> Tue Sep 01 19:19:49 2015 -0700
tree f57d44d00d0081adad11bf34ccbdcacafd24fb12
parent 04140c8682edf1ec20313995ad9af9321c9d293b

MatroskaExtractor: detect infinite loop when parsing NALs

Bug: 21335999
Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4
(cherry picked from commit 2dcf6138ebc9c5688aeae151d2fbde55a2826128)

media/libstagefright/matroska/MatroskaExtractor.cpp

diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp
index 9da835d..e53319b 100644
--- a/media/libstagefright/matroska/MatroskaExtractor.cpp
+++ b/media/libstagefright/matroska/MatroskaExtractor.cpp
@@ -21,6 +21,7 @@
 #include "MatroskaExtractor.h"
 
 #include <media/stagefright/foundation/ADebug.h>
+#include <media/stagefright/foundation/AUtils.h>
 #include <media/stagefright/foundation/hexdump.h>
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/MediaBuffer.h>
@@ -631,7 +632,12 @@
                     TRESPASS();
             }
 
-            if (srcOffset + mNALSizeLen + NALsize > srcSize) {
+            if (srcOffset + mNALSizeLen + NALsize <= srcOffset + mNALSizeLen) {
+                frame->release();
+                frame = NULL;
+
+                return ERROR_MALFORMED;
+            } else if (srcOffset + mNALSizeLen + NALsize > srcSize) {
                 break;
             }