Bug 1334971: P1. Properly handle invalid PPS. r=gerald
authorJean-Yves Avenard <jyavenard@mozilla.com>
Tue, 07 Feb 2017 07:55:19 +0100
changeset 479912 5ef27c9b65efd9457f65d014082c2383bbd4aad7
parent 479911 56b0d9ecb97b83a94f8edef1a44f3b3926facd5d
child 479913 27f9cf49b9fe0a029def3a56adc2d5ff97ce963b
push id44393
push userVYV03354@nifty.ne.jp
push dateTue, 07 Feb 2017 13:53:48 +0000
reviewersgerald
bugs1334971
milestone54.0a1
Bug 1334971: P1. Properly handle invalid PPS. r=gerald A PPS contains an id that is used as index inside an array. We must ensure that there's enough space in that array. Also fix H264::DecodePPS which incorrectly always returned an error when parsing a valid PPS. MozReview-Commit-ID: L1HUAdxWdu0
media/libstagefright/binding/H264.cpp
--- a/media/libstagefright/binding/H264.cpp
+++ b/media/libstagefright/binding/H264.cpp
@@ -748,19 +748,22 @@ H264::DecodePPSDataSetFromExtraData(cons
 
     RefPtr<mozilla::MediaByteBuffer> pps = DecodeNALUnit(rawNAL);
 
     if (!pps) {
       return false;
     }
 
     PPSData ppsData;
-    if(DecodePPS(pps, aSPSes, ppsData)) {
+    if (!DecodePPS(pps, aSPSes, ppsData)) {
       return false;
     }
+    if (ppsData.pic_parameter_set_id >= aDest.Length()) {
+      aDest.SetLength(ppsData.pic_parameter_set_id + 1);
+    }
     aDest[ppsData.pic_parameter_set_id] = Move(ppsData);
   }
   return true;
 }
 
 /* static */ bool
 H264::DecodePPS(const mozilla::MediaByteBuffer* aPPS, const SPSDataSet& aSPSes,
                 PPSData& aDest)
@@ -773,16 +776,20 @@ H264::DecodePPS(const mozilla::MediaByte
     return false;
   }
 
   BitReader br(aPPS, GetBitLength(aPPS));
 
   READUE(pic_parameter_set_id, MAX_PPS_COUNT - 1);
   READUE(seq_parameter_set_id, MAX_SPS_COUNT - 1);
 
+  if (aDest.seq_parameter_set_id >= aSPSes.Length()) {
+    // Invalid SPS id.
+    return false;
+  }
   const SPSData& sps = aSPSes[aDest.seq_parameter_set_id];
 
   memcpy(aDest.scaling_matrix4x4, sps.scaling_matrix4x4,
          sizeof(aDest.scaling_matrix4x4));
   memcpy(aDest.scaling_matrix8x8, sps.scaling_matrix8x8,
          sizeof(aDest.scaling_matrix8x8));
 
   aDest.entropy_coding_mode_flag = br.ReadBit();