Bug 1092370 - Tighten up MP3FrameParser. r=cpearce, a=2.1+
authorEdwin Flores <edwin@mozilla.com>
Fri, 30 Jan 2015 16:54:12 +1300
changeset 221715 70b8982a523d9779f39181a7d41658811a89d87e
parent 221714 205b89828e36606b3d1e44472c3f1db8ca2865a4
child 221716 5145ffc25679ae44f04610bfe55f3ba24722b52f
push id358
push userryanvm@gmail.com
push dateFri, 30 Jan 2015 21:59:57 +0000
treeherdermozilla-b2g34_v2_1@70b8982a523d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscpearce, 2
bugs1092370
milestone34.0
Bug 1092370 - Tighten up MP3FrameParser. r=cpearce, a=2.1+
content/media/MP3FrameParser.cpp
--- a/content/media/MP3FrameParser.cpp
+++ b/content/media/MP3FrameParser.cpp
@@ -332,16 +332,21 @@ nsresult MP3FrameParser::ParseBuffer(con
   // If we haven't found any MP3 frame data yet, there might be ID3 headers
   // we can skip over.
   if (mMP3Offset < 0) {
     for (const uint8_t *ch = buffer; ch < bufferEnd; ch++) {
       if (mID3Parser.ParseChar(*ch)) {
         // Found an ID3 header. We don't care about the body of the header, so
         // just skip past.
         buffer = ch + mID3Parser.GetHeaderLength() - (ID3_HEADER_LENGTH - 1);
+
+        if (buffer <= ch) {
+          return NS_ERROR_FAILURE;
+        }
+
         ch = buffer;
 
         mTotalID3Size += mID3Parser.GetHeaderLength();
 
         // Yes, this is an MP3!
         mIsMP3 = DEFINITELY_MP3;
 
         mID3Parser.Reset();