commit | 9d33304ec75b366ed9750e7bde6f96f8c704e1c8 | [log] [tgz] |
---|---|---|
author | Santiago Seifert <aquilescanta@google.com> | Thu May 19 15:29:26 2022 +0000 |
committer | Santiago Seifert <aquilescanta@google.com> | Fri May 20 12:44:41 2022 +0000 |
tree | c525bf4fbfa1f83220976700e43f9e2085318e78 | |
parent | ac5f5cade22029ffada814347500535a368d88d9 [diff] |
Avoid read out of bounds Bug: 230493653 Change-Id: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2 Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2 Test: See bug for PoC. (cherry picked from commit 306aad773337f228bffcf5bf07a3e6663226f42c)
diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp index d3cb66f..49c684e 100644 --- a/media/extractors/mp4/MPEG4Extractor.cpp +++ b/media/extractors/mp4/MPEG4Extractor.cpp
@@ -4358,7 +4358,7 @@ if (len2 == 0) { return ERROR_MALFORMED; } - if (offset >= csd_size || csd[offset] != 0x01) { + if (offset + len1 > csd_size || csd[offset] != 0x01) { return ERROR_MALFORMED; } // formerly kKeyVorbisInfo