Add missing bounds checks Bug: 231986464 Test: Manually, using POC from bug and using Photos RTSP playback. Change-Id: Ie3494d592e7b36629317ba51717b528dab13e0fb (cherry picked from commit ed1b480e202fb58caa9e7ce8b00ccaa6a3b125c0) Merged-In: Ie3494d592e7b36629317ba51717b528dab13e0fb (cherry picked from commit 2ebfe99b3a31aad82f8a186b136037509714d874) Merged-In: Ie3494d592e7b36629317ba51717b528dab13e0fb
diff --git a/media/libstagefright/rtsp/AAVCAssembler.cpp b/media/libstagefright/rtsp/AAVCAssembler.cpp index 2f516d5..ddf797c 100644 --- a/media/libstagefright/rtsp/AAVCAssembler.cpp +++ b/media/libstagefright/rtsp/AAVCAssembler.cpp
@@ -618,13 +618,14 @@ int32_t AAVCAssembler::pickStartSeq(const Queue *queue, uint32_t first, int64_t play, int64_t jit) { + CHECK(!queue->empty()); // pick the first sequence number has the start bit. sp<ABuffer> buffer = *(queue->begin()); int32_t firstSeqNo = buffer->int32Data(); // This only works for FU-A type & non-start sequence - unsigned nalType = buffer->data()[0] & 0x1f; - if (nalType != 28 || buffer->data()[1] & 0x80) { + int32_t nalType = buffer->size() >= 1 ? buffer->data()[0] & 0x1f : -1; + if (nalType != 28 || (buffer->size() >= 2 && buffer->data()[1] & 0x80)) { return firstSeqNo; } @@ -634,7 +635,7 @@ if (rtpTime + jit >= play) { break; } - if ((data[1] & 0x80)) { + if (it->size() >= 2 && (data[1] & 0x80)) { const int32_t seqNo = it->int32Data(); ALOGE("finding [HEAD] pkt. \t Seq# (%d ~ )[%d", firstSeqNo, seqNo); firstSeqNo = seqNo;