Fix security vulnerability in libstagefright bug: 28175045 Change-Id: Icee6c7eb5b761da4aa3e412fb71825508d74d38f

commit: 9d85f1d2d27cb734d58efaa8a97a91895bdb5e0a [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Fri May 13 11:48:11 2016 -0700
committer: The Android Automerger <android-build@google.com> Fri May 27 11:08:05 2016 -0700
tree: 1b29f16be01280552f6912f27e9da42bdbecc19f
parent: 68465da423c8213ef655e8e4965682f3ee8866a5 [diff]
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 9cb6e86..e2bc89c 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp

@@ -200,7 +200,17 @@
                 continue;
             }
 
-            CHECK(dstOffset + 4 <= (*buffer)->size());
+            if (dstOffset > SIZE_MAX - 4 ||
+                dstOffset + 4 > SIZE_MAX - nalLength ||
+                dstOffset + 4 + nalLength > (*buffer)->size()) {
+                (*buffer)->release();
+                (*buffer) = NULL;
+                if (decryptedDrmBuffer.data) {
+                    delete [] decryptedDrmBuffer.data;
+                    decryptedDrmBuffer.data = NULL;
+                }
+                return ERROR_MALFORMED;
+            }
 
             dstData[dstOffset++] = 0;
             dstData[dstOffset++] = 0;
commit	9d85f1d2d27cb734d58efaa8a97a91895bdb5e0a	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Fri May 13 11:48:11 2016 -0700
committer	The Android Automerger <android-build@google.com>	Fri May 27 11:08:05 2016 -0700
tree	1b29f16be01280552f6912f27e9da42bdbecc19f
parent	68465da423c8213ef655e8e4965682f3ee8866a5 [diff]