Bug 1334971: P1. Properly handle invalid PPS. r=gerald
authorJean-Yves Avenard <jyavenard@mozilla.com>
Tue, 07 Feb 2017 07:55:19 +0100
changeset 341130 5ef27c9b65efd9457f65d014082c2383bbd4aad7
parent 341129 56b0d9ecb97b83a94f8edef1a44f3b3926facd5d
child 341131 27f9cf49b9fe0a029def3a56adc2d5ff97ce963b
push id86634
push usercbook@mozilla.com
push dateTue, 07 Feb 2017 13:14:58 +0000
treeherdermozilla-inbound@9dbd2d9b334e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgerald
bugs1334971
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1334971: P1. Properly handle invalid PPS. r=gerald A PPS contains an id that is used as index inside an array. We must ensure that there's enough space in that array. Also fix H264::DecodePPS which incorrectly always returned an error when parsing a valid PPS. MozReview-Commit-ID: L1HUAdxWdu0
media/libstagefright/binding/H264.cpp
--- a/media/libstagefright/binding/H264.cpp
+++ b/media/libstagefright/binding/H264.cpp
@@ -748,19 +748,22 @@ H264::DecodePPSDataSetFromExtraData(cons
 
     RefPtr<mozilla::MediaByteBuffer> pps = DecodeNALUnit(rawNAL);
 
     if (!pps) {
       return false;
     }
 
     PPSData ppsData;
-    if(DecodePPS(pps, aSPSes, ppsData)) {
+    if (!DecodePPS(pps, aSPSes, ppsData)) {
       return false;
     }
+    if (ppsData.pic_parameter_set_id >= aDest.Length()) {
+      aDest.SetLength(ppsData.pic_parameter_set_id + 1);
+    }
     aDest[ppsData.pic_parameter_set_id] = Move(ppsData);
   }
   return true;
 }
 
 /* static */ bool
 H264::DecodePPS(const mozilla::MediaByteBuffer* aPPS, const SPSDataSet& aSPSes,
                 PPSData& aDest)
@@ -773,16 +776,20 @@ H264::DecodePPS(const mozilla::MediaByte
     return false;
   }
 
   BitReader br(aPPS, GetBitLength(aPPS));
 
   READUE(pic_parameter_set_id, MAX_PPS_COUNT - 1);
   READUE(seq_parameter_set_id, MAX_SPS_COUNT - 1);
 
+  if (aDest.seq_parameter_set_id >= aSPSes.Length()) {
+    // Invalid SPS id.
+    return false;
+  }
   const SPSData& sps = aSPSes[aDest.seq_parameter_set_id];
 
   memcpy(aDest.scaling_matrix4x4, sps.scaling_matrix4x4,
          sizeof(aDest.scaling_matrix4x4));
   memcpy(aDest.scaling_matrix8x8, sps.scaling_matrix8x8,
          sizeof(aDest.scaling_matrix8x8));
 
   aDest.entropy_coding_mode_flag = br.ReadBit();