MatroskaExtractor: detect infinite loop when parsing NALs Bug: 21335999 Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4 (cherry picked from commit 2dcf6138ebc9c5688aeae151d2fbde55a2826128)

commit: 407d475b797fdc595299d67151230dc6e3835ccd [log] [tgz]
author: Robert Shih <robertshih@google.com> Thu Jul 16 15:04:12 2015 -0700
committer: Abhishek Arya <aarya@google.com> Tue Aug 18 02:33:07 2015 +0000
tree: 0924f43fb9ccf6ebbf227b9da67d74b570766307
parent: deba0610c89d54390c9d2d0a0f3b79fd7679779c [diff]
diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp
index cf20428..25d0cf1 100644
--- a/media/libstagefright/matroska/MatroskaExtractor.cpp
+++ b/media/libstagefright/matroska/MatroskaExtractor.cpp

@@ -23,6 +23,7 @@
 #include "mkvparser.hpp"
 
 #include <media/stagefright/foundation/ADebug.h>
+#include <media/stagefright/foundation/AUtils.h>
 #include <media/stagefright/foundation/hexdump.h>
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/MediaBuffer.h>
@@ -563,7 +564,12 @@
                     TRESPASS();
             }
 
-            if (srcOffset + mNALSizeLen + NALsize > srcSize) {
+            if (srcOffset + mNALSizeLen + NALsize <= srcOffset + mNALSizeLen) {
+                frame->release();
+                frame = NULL;
+
+                return ERROR_MALFORMED;
+            } else if (srcOffset + mNALSizeLen + NALsize > srcSize) {
                 break;
             }
commit	407d475b797fdc595299d67151230dc6e3835ccd	[log] [tgz]
author	Robert Shih <robertshih@google.com>	Thu Jul 16 15:04:12 2015 -0700
committer	Abhishek Arya <aarya@google.com>	Tue Aug 18 02:33:07 2015 +0000
tree	0924f43fb9ccf6ebbf227b9da67d74b570766307
parent	deba0610c89d54390c9d2d0a0f3b79fd7679779c [diff]