MatroskaExtractor: detect infinite loop when parsing NALs

Bug: 21335999 Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4 (cherry picked from commit 2dcf6138)

MatroskaExtractor: detect infinite loop when parsing NALs
Bug: 21335999 Change-Id: I76bd34610e52048ffcf16e41aa6175afc8a14ee4 (cherry picked from commit 2dcf6138)
520cd7c0 · Robert Shih · The Android Automerger · 65b1cf37 · 520cd7c0
Commit 520cd7c0 authored 9 years ago by Robert Shih Committed by The Android Automerger 9 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

media/libstagefright/matroska/MatroskaExtractor.cpp media/libstagefright/matroska/MatroskaExtractor.cpp +7 -1

No files found.
--- a/media/libstagefright/matroska/MatroskaExtractor.cpp
+++ b/media/libstagefright/matroska/MatroskaExtractor.cpp
@@ -21,6 +21,7 @@
 #include "MatroskaExtractor.h"

 #include <media/stagefright/foundation/ADebug.h>
+#include <media/stagefright/foundation/AUtils.h>
 #include <media/stagefright/foundation/hexdump.h>
 #include <media/stagefright/DataSource.h>
 #include <media/stagefright/MediaBuffer.h>
@@ -631,7 +632,12 @@ status_t MatroskaSource::read(
                    TRESPASS();
            }

-            if (srcOffset + mNALSizeLen + NALsize > srcSize) {
+            if (srcOffset + mNALSizeLen + NALsize <= srcOffset + mNALSizeLen) {
+                frame->release();
+                frame = NULL;
+
+                return ERROR_MALFORMED;
+            } else if (srcOffset + mNALSizeLen + NALsize > srcSize) {
                break;
            }