Merge "MatroskaExtractor: detect infinite loop when parsing NALs" into mnc-dev

commit: 84e4987ffc8d4bb6731bcb28d69a7ff37a0e9921 [log] [tgz]
author: Robert Shih <robertshih@google.com> Mon Jul 20 22:56:08 2015 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Mon Jul 20 22:56:08 2015 +0000
tree: bbc293885a0d23d95d5e11adff7bb288d71f0ff3
parent: 40c33635760fe9d5bd3df1f347381bdc215805db [diff]
parent: 2dcf6138ebc9c5688aeae151d2fbde55a2826128 [diff]
diff --git a/media/libstagefright/matroska/MatroskaExtractor.cpp b/media/libstagefright/matroska/MatroskaExtractor.cpp
index 70d2c69..e8bd432 100644
--- a/media/libstagefright/matroska/MatroskaExtractor.cpp
+++ b/media/libstagefright/matroska/MatroskaExtractor.cpp

@@ -21,6 +21,7 @@
 #include "MatroskaExtractor.h"
 
 #include <media/stagefright/foundation/ADebug.h>
+#include <media/stagefright/foundation/AUtils.h>
 #include <media/stagefright/foundation/hexdump.h>
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/MediaBuffer.h>
@@ -620,7 +621,12 @@
                     TRESPASS();
             }
 
-            if (srcOffset + mNALSizeLen + NALsize > srcSize) {
+            if (srcOffset + mNALSizeLen + NALsize <= srcOffset + mNALSizeLen) {
+                frame->release();
+                frame = NULL;
+
+                return ERROR_MALFORMED;
+            } else if (srcOffset + mNALSizeLen + NALsize > srcSize) {
                 break;
             }
commit	84e4987ffc8d4bb6731bcb28d69a7ff37a0e9921	[log] [tgz]
author	Robert Shih <robertshih@google.com>	Mon Jul 20 22:56:08 2015 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Mon Jul 20 22:56:08 2015 +0000
tree	bbc293885a0d23d95d5e11adff7bb288d71f0ff3
parent	40c33635760fe9d5bd3df1f347381bdc215805db [diff]
parent	2dcf6138ebc9c5688aeae151d2fbde55a2826128 [diff]