Bug 1186718 - Ensure ESDS have valid size. r=kentuckyfriedtakahe
authorJean-Yves Avenard <jyavenard@mozilla.com>
Mon, 27 Jul 2015 16:25:17 -0400
changeset 254860 a674c7019cb567bd4f8696d274b6fbf146363a65
parent 254859 e01d0f7a3c6fd95da3429a339a109a046c6e3451
child 254861 43e7461188dcb84aadcd80be98703cdeda504a58
push id29123
push usercbook@mozilla.com
push dateTue, 28 Jul 2015 14:28:44 +0000
treeherdermozilla-central@bc589dd18ad5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe
bugs1186718
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1186718 - Ensure ESDS have valid size. r=kentuckyfriedtakahe
media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
@@ -133,33 +133,43 @@ status_t ESDS::parseESDescriptor(size_t 
     unsigned URL_Flag = mData[offset] & 0x40;
     unsigned OCRstreamFlag = mData[offset] & 0x20;
 
     ++offset;
     --size;
 
     if (streamDependenceFlag) {
         offset += 2;
+        if (size <= 2) {
+            return ERROR_MALFORMED;
+        }
         size -= 2;
     }
 
     if (URL_Flag) {
         if (offset >= size) {
             return ERROR_MALFORMED;
         }
         unsigned URLlength = mData[offset];
         offset += URLlength + 1;
+        if (size <= URLlength + 1) {
+            return ERROR_MALFORMED;
+        }
         size -= URLlength + 1;
     }
 
     if (OCRstreamFlag) {
         offset += 2;
+        if (size <= 2) {
+            return ERROR_MALFORMED;
+        }
         size -= 2;
 
         if ((offset >= size || mData[offset] != kTag_DecoderConfigDescriptor)
+                && offset >= 2
                 && offset - 2 < size
                 && mData[offset - 2] == kTag_DecoderConfigDescriptor) {
             // Content found "in the wild" had OCRstreamFlag set but was
             // missing OCR_ES_Id, the decoder config descriptor immediately
             // followed instead.
             offset -= 2;
             size += 2;