Bug 1334971 - Part 1: Properly handle invalid PPS. r=gerald, a=gchang
authorJean-Yves Avenard <jyavenard@mozilla.com>
Tue, 07 Feb 2017 07:55:19 +0100
changeset 375995 019dfad9dcb7d506076a4b6e7479608b26b62ab9
parent 375994 70f5d60669540371ce4c967921ffc1ea0cb50424
child 375996 fb6d519b22986ea8978f4bd74f34fb02220b0b0d
push id6996
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 20:48:21 +0000
treeherdermozilla-beta@d89512dab048 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgerald, gchang
bugs1334971
milestone53.0a2
Bug 1334971 - Part 1: Properly handle invalid PPS. r=gerald, a=gchang A PPS contains an id that is used as index inside an array. We must ensure that there's enough space in that array. Also fix H264::DecodePPS which incorrectly always returned an error when parsing a valid PPS. MozReview-Commit-ID: L1HUAdxWdu0
media/libstagefright/binding/H264.cpp
--- a/media/libstagefright/binding/H264.cpp
+++ b/media/libstagefright/binding/H264.cpp
@@ -748,19 +748,22 @@ H264::DecodePPSDataSetFromExtraData(cons
 
     RefPtr<mozilla::MediaByteBuffer> pps = DecodeNALUnit(rawNAL);
 
     if (!pps) {
       return false;
     }
 
     PPSData ppsData;
-    if(DecodePPS(pps, aSPSes, ppsData)) {
+    if (!DecodePPS(pps, aSPSes, ppsData)) {
       return false;
     }
+    if (ppsData.pic_parameter_set_id >= aDest.Length()) {
+      aDest.SetLength(ppsData.pic_parameter_set_id + 1);
+    }
     aDest[ppsData.pic_parameter_set_id] = Move(ppsData);
   }
   return true;
 }
 
 /* static */ bool
 H264::DecodePPS(const mozilla::MediaByteBuffer* aPPS, const SPSDataSet& aSPSes,
                 PPSData& aDest)
@@ -773,16 +776,20 @@ H264::DecodePPS(const mozilla::MediaByte
     return false;
   }
 
   BitReader br(aPPS, GetBitLength(aPPS));
 
   READUE(pic_parameter_set_id, MAX_PPS_COUNT - 1);
   READUE(seq_parameter_set_id, MAX_SPS_COUNT - 1);
 
+  if (aDest.seq_parameter_set_id >= aSPSes.Length()) {
+    // Invalid SPS id.
+    return false;
+  }
   const SPSData& sps = aSPSes[aDest.seq_parameter_set_id];
 
   memcpy(aDest.scaling_matrix4x4, sps.scaling_matrix4x4,
          sizeof(aDest.scaling_matrix4x4));
   memcpy(aDest.scaling_matrix8x8, sps.scaling_matrix8x8,
          sizeof(aDest.scaling_matrix8x8));
 
   aDest.entropy_coding_mode_flag = br.ReadBit();