Check integer overflow to prevent memory corruption
bug: 23016072
Change-Id: If3c9a835408773847c0024a812bd8b4915ebd680
(cherry picked from commit fa8ebb45fd850f56ca1bf64fbed3ac11e10c7d3d)
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 63cb430..9cb6e86 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp
@@ -186,7 +186,8 @@
srcOffset += mNALLengthSize;
- if (srcOffset + nalLength > len) {
+ size_t end = srcOffset + nalLength;
+ if (end > len || end < srcOffset) {
if (decryptedDrmBuffer.data) {
delete [] decryptedDrmBuffer.data;
decryptedDrmBuffer.data = NULL;