Fix out of bounds read and write in onQueueFilled in outQueue Bug: 276442130 Test: POC in bug descriptions (cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643) (cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47) Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1 Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1

commit: a52c14a5b49f26efafa581dea653b4179d66909e [log] [tgz]
author: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com> Tue Dec 05 18:32:38 2023 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jan 11 04:45:44 2024 +0000
tree: 74dd4e3c65cce957825ed98d5fb2282f7194eb55
parent: 8f3bc8be16480367bac36effa25706133a0dc22d [diff]
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
index a4b3e2f..14c3fa0 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp

@@ -312,8 +312,11 @@
         outHeader->nFilledLen = frameSize;
 
         List<BufferInfo *>::iterator it = outQueue.begin();
-        while ((*it)->mHeader != outHeader) {
-            ++it;
+        while (it != outQueue.end() && (*it)->mHeader != outHeader) {
+             ++it;
+        }
+        if (it == outQueue.end()) {
+            return;
         }
 
         BufferInfo *outInfo = *it;
commit	a52c14a5b49f26efafa581dea653b4179d66909e	[log] [tgz]
author	Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>	Tue Dec 05 18:32:38 2023 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Thu Jan 11 04:45:44 2024 +0000
tree	74dd4e3c65cce957825ed98d5fb2282f7194eb55
parent	8f3bc8be16480367bac36effa25706133a0dc22d [diff]