Bug 1092370 - Tighten up MP3FrameParser - r=cpearce
authorEdwin Flores <edwin@mozilla.com>
Fri, 30 Jan 2015 16:54:12 +1300
changeset 226750 a1961f96d4a7f199a0745370b9129f9785038e66
parent 226749 35ef327737b6f0c7ce7769db3235e35f3bf76901
child 226751 ae4c8ecf7145aea1e765effe4e647fb3db233964
push id28205
push userryanvm@gmail.com
push dateFri, 30 Jan 2015 17:32:20 +0000
treeherdermozilla-central@d7e156a7a0a6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscpearce
bugs1092370
milestone38.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1092370 - Tighten up MP3FrameParser - r=cpearce
dom/media/MP3FrameParser.cpp
--- a/dom/media/MP3FrameParser.cpp
+++ b/dom/media/MP3FrameParser.cpp
@@ -332,16 +332,21 @@ nsresult MP3FrameParser::ParseBuffer(con
   // If we haven't found any MP3 frame data yet, there might be ID3 headers
   // we can skip over.
   if (mMP3Offset < 0) {
     for (const uint8_t *ch = buffer; ch < bufferEnd; ch++) {
       if (mID3Parser.ParseChar(*ch)) {
         // Found an ID3 header. We don't care about the body of the header, so
         // just skip past.
         buffer = ch + mID3Parser.GetHeaderLength() - (ID3_HEADER_LENGTH - 1);
+
+        if (buffer <= ch) {
+          return NS_ERROR_FAILURE;
+        }
+
         ch = buffer;
 
         mTotalID3Size += mID3Parser.GetHeaderLength();
 
         // Yes, this is an MP3!
         mIsMP3 = DEFINITELY_MP3;
 
         mID3Parser.Reset();