AACExtractor: check bounds during seek
Bug: 70239507
Test: stagefright -a poc.aac
Change-Id: I61225a04c76fe8855bd2591fb14b734099fa3be6
(cherry picked from commit 0790581021d89ae1d7242e5eb1197bfd12725c85)
diff --git a/media/libstagefright/AACExtractor.cpp b/media/libstagefright/AACExtractor.cpp
index 19efc53..e3f113a 100644
--- a/media/libstagefright/AACExtractor.cpp
+++ b/media/libstagefright/AACExtractor.cpp
@@ -292,6 +292,10 @@
if (options && options->getSeekTo(&seekTimeUs, &mode)) {
if (mFrameDurationUs > 0) {
int64_t seekFrame = seekTimeUs / mFrameDurationUs;
+ if (seekFrame < 0 || seekFrame >= (int64_t)mOffsetVector.size()) {
+ android_errorWriteLog(0x534e4554, "70239507");
+ return ERROR_MALFORMED;
+ }
mCurrentTimeUs = seekFrame * mFrameDurationUs;
mOffset = mOffsetVector.itemAt(seekFrame);