Bug 1206211: P1. Ensure operation can't overflow. r=kentuckyfriedtakahe
authorJean-Yves Avenard <jyavenard@mozilla.com>
Thu, 24 Sep 2015 13:05:01 +1000
changeset 264199 680e1f669ea5cbd74fa27705b8a61de469d1748d
parent 264198 8e634cc7b44a4ea7dadc58de3236facabbfcb0a9
child 264200 708cf76b6cb44a8565d013621d7ef9f71ab3ac78
push id29431
push userkwierso@gmail.com
push dateThu, 24 Sep 2015 23:46:41 +0000
treeherdermozilla-central@eee426604698 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe
bugs1206211
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1206211: P1. Ensure operation can't overflow. r=kentuckyfriedtakahe
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -502,20 +502,23 @@ status_t MPEG4Extractor::readMetaData() 
         mInitCheck = OK;
     } else {
         mInitCheck = err;
     }
 
     CHECK_NE(err, (status_t)NO_INIT);
 
     // copy pssh data into file metadata
-    int psshsize = 0;
+    uint64_t psshsize = 0;
     for (size_t i = 0; i < mPssh.Length(); i++) {
         psshsize += 20 + mPssh[i].datalen;
     }
+    if (psshsize > kMAX_ALLOCATION) {
+        return ERROR_MALFORMED;
+    }
     if (psshsize) {
         char *buf = (char*)malloc(psshsize);
         char *ptr = buf;
         for (size_t i = 0; i < mPssh.Length(); i++) {
             memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
             memcpy(ptr + 20, mPssh[i].data, mPssh[i].datalen);
             ptr += (20 + mPssh[i].datalen);
         }