{"id":"ASB-A-231986464","details":"In pickStartSeq of AAVCAssembler.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-231986464","CVE-2022-20418"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2022-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-10-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/91fddd9386c2e50e6fed87af2bed8b33da058a24"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-10-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874"],"vanir_signatures":[{"id":"ASB-A-231986464-3da4bc20","deprecated":false,"digest":{"function_hash":"186318213500322858317030057075640806937","length":612},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874","signature_version":"v1","target":{"file":"media/libstagefright/rtsp/AAVCAssembler.cpp","function":"AAVCAssembler::pickStartSeq"}},{"digest":{"line_hashes":["33273134424248102204873426562886638547","118225866074188131561038581601871043512","7053521713956208209239234160035963325","53843108038709408261758986378788463147","221001657218360458121184014253133680756","23650320090368215991700259217092649728","278123299452925255862619278334513598622","19370684990649715860870351065171013494","42182442105126889931792907059761585577","135452047894297885470045179470781198347","79480937815460144899662488111977935230","44084205801885496181331491169194622586"],"threshold":0.9},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874","signature_type":"Line","id":"ASB-A-231986464-b8ee4d4d","signature_version":"v1","target":{"file":"media/libstagefright/rtsp/AAVCAssembler.cpp"}}],"severity":"High","spl":"2022-10-01","types":["ID"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-231986464.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-10-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874"],"severity":"High","vanir_signatures":[{"digest":{"line_hashes":["33273134424248102204873426562886638547","118225866074188131561038581601871043512","7053521713956208209239234160035963325","53843108038709408261758986378788463147","221001657218360458121184014253133680756","23650320090368215991700259217092649728","278123299452925255862619278334513598622","19370684990649715860870351065171013494","42182442105126889931792907059761585577","135452047894297885470045179470781198347","79480937815460144899662488111977935230","44084205801885496181331491169194622586"],"threshold":0.9},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874","signature_type":"Line","id":"ASB-A-231986464-56628402","signature_version":"v1","target":{"file":"media/libstagefright/rtsp/AAVCAssembler.cpp"}},{"id":"ASB-A-231986464-f839752f","deprecated":false,"digest":{"function_hash":"186318213500322858317030057075640806937","length":612},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874","signature_version":"v1","target":{"file":"media/libstagefright/rtsp/AAVCAssembler.cpp","function":"AAVCAssembler::pickStartSeq"}}],"spl":"2022-10-01","types":["ID"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-231986464.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-10-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874"],"vanir_signatures":[{"digest":{"line_hashes":["33273134424248102204873426562886638547","118225866074188131561038581601871043512","7053521713956208209239234160035963325","53843108038709408261758986378788463147","221001657218360458121184014253133680756","23650320090368215991700259217092649728","278123299452925255862619278334513598622","19370684990649715860870351065171013494","42182442105126889931792907059761585577","135452047894297885470045179470781198347","79480937815460144899662488111977935230","44084205801885496181331491169194622586"],"threshold":0.9},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874","signature_type":"Line","id":"ASB-A-231986464-0a3b019d","signature_version":"v1","target":{"file":"media/libstagefright/rtsp/AAVCAssembler.cpp"}},{"source":"https://android.googlesource.com/platform/frameworks/av/+/2ebfe99b3a31aad82f8a186b136037509714d874","deprecated":false,"digest":{"function_hash":"186318213500322858317030057075640806937","length":612},"signature_type":"Function","id":"ASB-A-231986464-12631e04","signature_version":"v1","target":{"file":"media/libstagefright/rtsp/AAVCAssembler.cpp","function":"AAVCAssembler::pickStartSeq"}}],"severity":"High","spl":"2022-10-01","types":["ID"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-231986464.json"}}],"schema_version":"1.7.5"}