Bug 523816 - Fix calculation of CMML record size. r=roc
authorMatthew Gregan <kinetik@flim.org>
Fri, 23 Oct 2009 11:11:35 +1300
changeset 26500 14dd26404792
parent 26499 8754481f4c53
child 26501 2f9a687a93f1
push id2066
push usermgregan@mozilla.com
push date2009-10-27 22:34 +0000
reviewersroc
bugs523816
milestone1.9.1.5pre
Bug 523816 - Fix calculation of CMML record size. r=roc
media/liboggplay/README_MOZILLA
media/liboggplay/bug523816.patch
media/liboggplay/src/liboggplay/oggplay_data.c
media/liboggplay/update.sh
--- a/media/liboggplay/README_MOZILLA
+++ b/media/liboggplay/README_MOZILLA
@@ -29,8 +29,9 @@ fix-17ef4ca82df28.patch: Fix oggplay_cal
                          Fixes liboggplay changeset 17ef4ca82df28.
 
 handle-read-errors.patch: Make oggplay_initialise() handle closing of stream
                           while reading. Prevents infinite loop. Further fix
                           to 17ef4ca82df28.
 
 bug504843.patch: Abort when decoding video excessively large video frames.
 
+bug523816.patch: Correct CMML data buffer size calculation.
new file mode 100644
--- /dev/null
+++ b/media/liboggplay/bug523816.patch
@@ -0,0 +1,29 @@
+diff --git a/media/liboggplay/src/liboggplay/oggplay_data.c b/media/liboggplay/src/liboggplay/oggplay_data.c
+--- a/media/liboggplay/src/liboggplay/oggplay_data.c
++++ b/media/liboggplay/src/liboggplay/oggplay_data.c
+@@ -353,22 +353,19 @@ oggplay_data_handle_audio_data (OggPlayD
+ OggPlayErrorCode
+ oggplay_data_handle_cmml_data(OggPlayDecode *decode, 
+                               unsigned char *data, 
+                               long size) {
+ 
+   OggPlayTextRecord * record = NULL;
+   size_t              record_size = sizeof(OggPlayTextRecord);
+ 
+-  /* check that the size we want to allocate doesn't overflow */
+-  if ((size < 0) || (size+1 < 0)) {
+-    return E_OGGPLAY_TYPE_OVERFLOW;
+-  }
+-  size += 1;
+-  
++  /* Include extra byte for null terminating record data buffer */
++  record_size += 1;
++
+   if 
+   (
+     oggplay_check_add_overflow (record_size, size, &record_size)
+     == 
+     E_OGGPLAY_TYPE_OVERFLOW
+   ) 
+   {
+     return E_OGGPLAY_TYPE_OVERFLOW;
--- a/media/liboggplay/src/liboggplay/oggplay_data.c
+++ b/media/liboggplay/src/liboggplay/oggplay_data.c
@@ -353,22 +353,19 @@ oggplay_data_handle_audio_data (OggPlayD
 OggPlayErrorCode
 oggplay_data_handle_cmml_data(OggPlayDecode *decode, 
                               unsigned char *data, 
                               long size) {
 
   OggPlayTextRecord * record = NULL;
   size_t              record_size = sizeof(OggPlayTextRecord);
 
-  /* check that the size we want to allocate doesn't overflow */
-  if ((size < 0) || (size+1 < 0)) {
-    return E_OGGPLAY_TYPE_OVERFLOW;
-  }
-  size += 1;
-  
+  /* Include extra byte for null terminating record data buffer */
+  record_size += 1;
+
   if 
   (
     oggplay_check_add_overflow (record_size, size, &record_size)
     == 
     E_OGGPLAY_TYPE_OVERFLOW
   ) 
   {
     return E_OGGPLAY_TYPE_OVERFLOW;
--- a/media/liboggplay/update.sh
+++ b/media/liboggplay/update.sh
@@ -52,9 +52,9 @@ patch -p3 < seek_to_key_frame.patch
 patch -p3 < bug487519.patch
 rm -f src/liboggplay/os2_semaphore.c
 rm -f src/liboggplay/os2_semaphore.h
 patch -p3 < oggplay_os2.patch
 patch -p3 < bug500311.patch
 patch -p3 < fix-17ef4ca82df28.patch
 patch -p3 < handle-read-errors.patch
 patch -p3 < bug504843.patch
-
+patch -p3 < bug523816.patch