From e33fadf02a9d08f71086bd4f1487c0571c828fa2 Mon Sep 17 00:00:00 2001 From: Jeff Tinker Date: Tue, 11 Aug 2015 15:52:26 -0700 Subject: Check integer overflow to prevent memory corruption bug: 23016072 Change-Id: If3c9a835408773847c0024a812bd8b4915ebd680 (cherry picked from commit fa8ebb45fd850f56ca1bf64fbed3ac11e10c7d3d) Tested-by: Wolfgang Wiedmeyer --- media/libstagefright/DRMExtractor.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'media') diff --git a/media/libstagefright/DRMExtractor.cpp b/media/libstagefright/DRMExtractor.cpp index 63cb430..9cb6e86 100644 --- a/media/libstagefright/DRMExtractor.cpp +++ b/media/libstagefright/DRMExtractor.cpp @@ -186,7 +186,8 @@ status_t DRMSource::read(MediaBuffer **buffer, const ReadOptions *options) { srcOffset += mNALLengthSize; - if (srcOffset + nalLength > len) { + size_t end = srcOffset + nalLength; + if (end > len || end < srcOffset) { if (decryptedDrmBuffer.data) { delete [] decryptedDrmBuffer.data; decryptedDrmBuffer.data = NULL; -- cgit v1.1