AACExtractor: check bounds during seek

author Robert Shih <robertshih@google.com>

Thu, 11 Jan 2018 22:38:23 +0000 (14:38 -0800)

committer android-build-team Robot <android-build-team-robot@google.com>

Thu, 18 Jan 2018 19:07:29 +0000 (19:07 +0000)
author Robert Shih <robertshih@google.com>
Thu, 11 Jan 2018 22:38:23 +0000 (14:38 -0800)
committer android-build-team Robot <android-build-team-robot@google.com>
Thu, 18 Jan 2018 19:07:29 +0000 (19:07 +0000)
diff --git a/media/libstagefright/AACExtractor.cpp b/media/libstagefright/AACExtractor.cpp

index 7449aa7..3ba1858 100644 (file)
--- a/media/libstagefright/AACExtractor.cpp
+++ b/media/libstagefright/AACExtractor.cpp
@@ -294,6 +294,10 @@ status_t AACSource::read(
      if (options && options->getSeekTo(&seekTimeUs, &mode)) {
          if (mFrameDurationUs > 0) {
              int64_t seekFrame = seekTimeUs / mFrameDurationUs;
+            if (seekFrame < 0 || seekFrame >= (int64_t)mOffsetVector.size()) {
+                android_errorWriteLog(0x534e4554, "70239507");
+                return ERROR_MALFORMED;
+            }
              mCurrentTimeUs = seekFrame * mFrameDurationUs;
  
              mOffset = mOffsetVector.itemAt(seekFrame);
author	Robert Shih <robertshih@google.com>
	Thu, 11 Jan 2018 22:38:23 +0000 (14:38 -0800)
committer	android-build-team Robot <android-build-team-robot@google.com>
	Thu, 18 Jan 2018 19:07:29 +0000 (19:07 +0000)