Check vector size before accessing Bug: 22388975 Change-Id: I3c157b1029d37f6a22e6302ea7b52077fe27ce53 (cherry picked from commit 529c595b083f8a4c3175e2350fba5547e6008e00)

commit: 073e4f6748f5d7deb095c42fad9271cb99e22d07 [log] [tgz]
author: Marco Nelissen <marcone@google.com> Fri Jul 24 09:18:36 2015 -0700
committer: Abhishek Arya <aarya@google.com> Sat Aug 15 00:00:05 2015 +0000
tree: 41d8d9bfdb5e08c6bcb35f399634dfa9fea6b64a
parent: 3ce293842fed1b3abd2ff0aecd2a0c70a55086ee [diff]
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 56bd875..618d522 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp

@@ -2747,8 +2747,17 @@
     int ivlength;
     CHECK(mFormat->findInt32(kKeyCryptoDefaultIVSize, &ivlength));
 
+    // only 0, 8 and 16 byte initialization vectors are supported
+    if (ivlength != 0 && ivlength != 8 && ivlength != 16) {
+        ALOGW("unsupported IV length: %d", ivlength);
+        return ERROR_MALFORMED;
+    }
     // read CencSampleAuxiliaryDataFormats
     for (size_t i = 0; i < mCurrentSampleInfoCount; i++) {
+        if (i >= mCurrentSamples.size()) {
+            ALOGW("too few samples");
+            break;
+        }
         Sample *smpl = &mCurrentSamples.editItemAt(i);
 
         memset(smpl->iv, 0, 16);
commit	073e4f6748f5d7deb095c42fad9271cb99e22d07	[log] [tgz]
author	Marco Nelissen <marcone@google.com>	Fri Jul 24 09:18:36 2015 -0700
committer	Abhishek Arya <aarya@google.com>	Sat Aug 15 00:00:05 2015 +0000
tree	41d8d9bfdb5e08c6bcb35f399634dfa9fea6b64a
parent	3ce293842fed1b3abd2ff0aecd2a0c70a55086ee [diff]