| author | Jean-Yves Avenard <jyavenard@mozilla.com> |
| Mon, 27 Jul 2015 16:25:17 -0400 | |
| changeset 254860 | a674c7019cb567bd4f8696d274b6fbf146363a65 |
| parent 254859 | e01d0f7a3c6fd95da3429a339a109a046c6e3451 |
| child 254861 | 43e7461188dcb84aadcd80be98703cdeda504a58 |
| push id | 29123 |
| push user | cbook@mozilla.com |
| push date | Tue, 28 Jul 2015 14:28:44 +0000 |
| treeherder | mozilla-central@bc589dd18ad5 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | kentuckyfriedtakahe |
| bugs | 1186718 |
| milestone | 42.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp | file | annotate | diff | comparison | revisions |
--- a/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp +++ b/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp @@ -133,33 +133,43 @@ status_t ESDS::parseESDescriptor(size_t unsigned URL_Flag = mData[offset] & 0x40; unsigned OCRstreamFlag = mData[offset] & 0x20; ++offset; --size; if (streamDependenceFlag) { offset += 2; + if (size <= 2) { + return ERROR_MALFORMED; + } size -= 2; } if (URL_Flag) { if (offset >= size) { return ERROR_MALFORMED; } unsigned URLlength = mData[offset]; offset += URLlength + 1; + if (size <= URLlength + 1) { + return ERROR_MALFORMED; + } size -= URLlength + 1; } if (OCRstreamFlag) { offset += 2; + if (size <= 2) { + return ERROR_MALFORMED; + } size -= 2; if ((offset >= size || mData[offset] != kTag_DecoderConfigDescriptor) + && offset >= 2 && offset - 2 < size && mData[offset - 2] == kTag_DecoderConfigDescriptor) { // Content found "in the wild" had OCRstreamFlag set but was // missing OCR_ES_Id, the decoder config descriptor immediately // followed instead. offset -= 2; size += 2;