AACExtractor: check bounds during seek

Bug: 70239507 Test: stagefright -a poc.aac Change-Id: I61225a04c76fe8855bd2591fb14b734099fa3be6 (cherry picked from commit 0790581021d89ae1d7242e5eb1197bfd12725c85)
author: Robert Shih <robertshih@google.com> 2018-01-11 14:38:23 -0800
committer: Tim Schumacher <timschumi@gmx.de> 2018-03-08 22:44:52 +0100
commit: 10d38db5dee8105fd5726983d2335ead53460a5f (patch)
tree: 7965e5efe35ab0b34947f1381684372e238737b2
parent: 122a2be9f0282f6954c12cbd4c0c6d62d33cc7f3 (diff)
download: frameworks_av-10d38db5dee8105fd5726983d2335ead53460a5f.tar.gz
frameworks_av-10d38db5dee8105fd5726983d2335ead53460a5f.tar.bz2
frameworks_av-10d38db5dee8105fd5726983d2335ead53460a5f.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/media/libstagefright/AACExtractor.cpp b/media/libstagefright/AACExtractor.cpp
index 2115eb4929..87538b589e 100644
--- a/media/libstagefright/AACExtractor.cpp
+++ b/media/libstagefright/AACExtractor.cpp
@@ -306,6 +306,10 @@ status_t AACSource::read(
     if (options && options->getSeekTo(&seekTimeUs, &mode)) {
         if (mFrameDurationUs > 0) {
             int64_t seekFrame = seekTimeUs / mFrameDurationUs;
+            if (seekFrame < 0 || seekFrame >= (int64_t)mOffsetVector.size()) {
+                android_errorWriteLog(0x534e4554, "70239507");
+                return ERROR_MALFORMED;
+            }
             mCurrentTimeUs = seekFrame * mFrameDurationUs;
 
             mOffset = mOffsetVector.itemAt(seekFrame);
author	Robert Shih <robertshih@google.com>	2018-01-11 14:38:23 -0800
committer	Tim Schumacher <timschumi@gmx.de>	2018-03-08 22:44:52 +0100
commit	10d38db5dee8105fd5726983d2335ead53460a5f (patch)
tree	7965e5efe35ab0b34947f1381684372e238737b2
parent	122a2be9f0282f6954c12cbd4c0c6d62d33cc7f3 (diff)
download	frameworks_av-10d38db5dee8105fd5726983d2335ead53460a5f.tar.gz frameworks_av-10d38db5dee8105fd5726983d2335ead53460a5f.tar.bz2 frameworks_av-10d38db5dee8105fd5726983d2335ead53460a5f.zip