Bug 1186718 - Ensure ESDS have valid size. r=kentuckyfriedtakahe, a=2.2+
authorJean-Yves Avenard <jyavenard@mozilla.com>
Mon, 27 Jul 2015 16:25:17 -0400
changeset 238745 1ba4654d04a97ec88d4d3b757fb92afdae7de40a
parent 238744 c9cf0f212fac2486845d7b29eba28ec06d3d276b
child 238746 24092ee0061aa002769fe3fbbcfe9995eb38f4a4
push id755
push userryanvm@gmail.com
push dateMon, 27 Jul 2015 23:59:00 +0000
treeherdermozilla-b2g37_v2_2@1ba4654d04a9 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe, 2.2
bugs1186718
milestone37.0
Bug 1186718 - Ensure ESDS have valid size. r=kentuckyfriedtakahe, a=2.2+
media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
@@ -133,33 +133,43 @@ status_t ESDS::parseESDescriptor(size_t 
     unsigned URL_Flag = mData[offset] & 0x40;
     unsigned OCRstreamFlag = mData[offset] & 0x20;
 
     ++offset;
     --size;
 
     if (streamDependenceFlag) {
         offset += 2;
+        if (size <= 2) {
+            return ERROR_MALFORMED;
+        }
         size -= 2;
     }
 
     if (URL_Flag) {
         if (offset >= size) {
             return ERROR_MALFORMED;
         }
         unsigned URLlength = mData[offset];
         offset += URLlength + 1;
+        if (size <= URLlength + 1) {
+            return ERROR_MALFORMED;
+        }
         size -= URLlength + 1;
     }
 
     if (OCRstreamFlag) {
         offset += 2;
+        if (size <= 2) {
+            return ERROR_MALFORMED;
+        }
         size -= 2;
 
         if ((offset >= size || mData[offset] != kTag_DecoderConfigDescriptor)
+                && offset >= 2
                 && offset - 2 < size
                 && mData[offset - 2] == kTag_DecoderConfigDescriptor) {
             // Content found "in the wild" had OCRstreamFlag set but was
             // missing OCR_ES_Id, the decoder config descriptor immediately
             // followed instead.
             offset -= 2;
             size += 2;