commit | 3b933840bc3839b8f99b2689257e365ec2d134db | [log] [tgz] |
---|---|---|
author | Santiago Seifert <aquilescanta@google.com> | Thu May 19 15:29:26 2022 +0000 |
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Sat Jun 11 16:36:39 2022 +0000 |
tree | 7ed429fa623e2bec0ed0020eb0c7aa3083bb40fe | |
parent | c7456ee4ac576257fc23b5614c182424c58a3bfb [diff] |
Avoid read out of bounds Bug: 230493653 Change-Id: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2 Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2 Test: See bug for PoC. (cherry picked from commit 306aad773337f228bffcf5bf07a3e6663226f42c) (cherry picked from commit 9d33304ec75b366ed9750e7bde6f96f8c704e1c8) Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp index 8836c47..65c0238 100644 --- a/media/extractors/mp4/MPEG4Extractor.cpp +++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -4771,7 +4771,7 @@ if (len2 == 0) { return ERROR_MALFORMED; } - if (offset >= csd_size || csd[offset] != 0x01) { + if (offset + len1 > csd_size || csd[offset] != 0x01) { return ERROR_MALFORMED; }