Avoid read out of bounds Bug: 230493653 Change-Id: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2 Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2 Test: See bug for PoC. (cherry picked from commit 306aad773337f228bffcf5bf07a3e6663226f42c) (cherry picked from commit 9d33304ec75b366ed9750e7bde6f96f8c704e1c8) Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2

commit: 3b933840bc3839b8f99b2689257e365ec2d134db [log] [tgz]
author: Santiago Seifert <aquilescanta@google.com> Thu May 19 15:29:26 2022 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Sat Jun 11 16:36:39 2022 +0000
tree: 7ed429fa623e2bec0ed0020eb0c7aa3083bb40fe
parent: c7456ee4ac576257fc23b5614c182424c58a3bfb [diff]
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp
index 8836c47..65c0238 100644
--- a/media/extractors/mp4/MPEG4Extractor.cpp
+++ b/media/extractors/mp4/MPEG4Extractor.cpp

@@ -4771,7 +4771,7 @@
         if (len2 == 0) {
             return ERROR_MALFORMED;
         }
-        if (offset >= csd_size || csd[offset] != 0x01) {
+        if (offset + len1 > csd_size || csd[offset] != 0x01) {
             return ERROR_MALFORMED;
         }
commit	3b933840bc3839b8f99b2689257e365ec2d134db	[log] [tgz]
author	Santiago Seifert <aquilescanta@google.com>	Thu May 19 15:29:26 2022 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Sat Jun 11 16:36:39 2022 +0000
tree	7ed429fa623e2bec0ed0020eb0c7aa3083bb40fe
parent	c7456ee4ac576257fc23b5614c182424c58a3bfb [diff]