Bug 1216748 - p4. Check other Metadata::setData uses - r=rillian
authorGerald Squelart <gsquelart@mozilla.com>
Wed, 11 Nov 2015 12:36:26 +0100
changeset 308266 330c1763806e3c1ec477084b0ec13e40a4d33fda
parent 308265 71113b0fe61f105583f2d7f3718b16896f874000
child 308267 98c4817458d1f8b6aca34cd848176f1a71e764dd
push id7450
push userahalberstadt@mozilla.com
push dateWed, 11 Nov 2015 20:09:05 +0000
reviewersrillian
bugs1216748
milestone45.0a1
Bug 1216748 - p4. Check other Metadata::setData uses - r=rillian Found only one other use that needed better checks: the size of the pssh data was only checked after all items were added up; so it would be possible to create a set of big items such that they create an overflow, but the final sum looks reasonable. Instead each item size should be checked, and the sum should also be checked at each step.
media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -509,19 +509,20 @@ status_t MPEG4Extractor::readMetaData() 
     }
 
     CHECK_NE(err, (status_t)NO_INIT);
 
     // copy pssh data into file metadata
     uint64_t psshsize = 0;
     for (size_t i = 0; i < mPssh.Length(); i++) {
         psshsize += 20 + mPssh[i].datalen;
-    }
-    if (psshsize > kMAX_ALLOCATION) {
-        return ERROR_MALFORMED;
+        if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
+            psshsize > kMAX_ALLOCATION) {
+            return ERROR_MALFORMED;
+        }
     }
     if (psshsize) {
         char *buf = (char*)malloc(psshsize);
         if (!buf) {
             return ERROR_MALFORMED;
         }
         char *ptr = buf;
         for (size_t i = 0; i < mPssh.Length(); i++) {