Check integer overflow to prevent memory corruption bug: 23016072 Change-Id: If3c9a835408773847c0024a812bd8b4915ebd680 (cherry picked from commit fa8ebb45fd850f56ca1bf64fbed3ac11e10c7d3d)

commit: e88d2ac5696771c75169fd586cddb9c6c02bea98 [log] [tgz]
author: Jeff Tinker <jtinker@google.com> Tue Aug 11 15:52:26 2015 -0700
committer: The Android Automerger <android-build@android.com> Tue Sep 01 19:14:35 2015 -0700
tree: 6f3ecbe225675264b3b0eef2889ddecefa6d85ce
parent: 21c79a535a109788bcfd2fabff21b73625115faf [diff]
diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp
index 63cb430..9cb6e86 100644
--- a/media/libstagefright/DRMExtractor.cpp
+++ b/media/libstagefright/DRMExtractor.cpp

@@ -186,7 +186,8 @@
 
             srcOffset += mNALLengthSize;
 
-            if (srcOffset + nalLength > len) {
+            size_t end = srcOffset + nalLength;
+            if (end > len || end < srcOffset) {
                 if (decryptedDrmBuffer.data) {
                     delete [] decryptedDrmBuffer.data;
                     decryptedDrmBuffer.data = NULL;
commit	e88d2ac5696771c75169fd586cddb9c6c02bea98	[log] [tgz]
author	Jeff Tinker <jtinker@google.com>	Tue Aug 11 15:52:26 2015 -0700
committer	The Android Automerger <android-build@android.com>	Tue Sep 01 19:14:35 2015 -0700
tree	6f3ecbe225675264b3b0eef2889ddecefa6d85ce
parent	21c79a535a109788bcfd2fabff21b73625115faf [diff]