Bug 1123507 - Prevent out of bound memory access. r=edwin, a=sledru
authorJean-Yves Avenard <jyavenard@mozilla.com>
Tue, 20 Jan 2015 13:42:30 +1100
changeset 249301 b5727b11abfb0ce75437f2113dfc18d128d9a1f7
parent 249300 e9db42b98c3740a8bd5efe7464fec68a0857b7d4
child 249302 13ee27a57a9b0a62c5af0a5283dba249b6fee6c5
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersedwin, sledru
bugs1123507
milestone37.0a2
Bug 1123507 - Prevent out of bound memory access. r=edwin, a=sledru
media/libstagefright/binding/Box.cpp
--- a/media/libstagefright/binding/Box.cpp
+++ b/media/libstagefright/binding/Box.cpp
@@ -43,18 +43,18 @@ Box::Box(BoxContext* aContext, uint64_t 
   uint64_t size = BigEndian::readUint32(header);
   if (size == 1) {
     uint8_t bigLength[8];
     MediaByteRange bigLengthRange(headerRange.mEnd,
                                   headerRange.mEnd + sizeof(bigLength));
     if ((mParent && !mParent->mRange.Contains(bigLengthRange)) ||
         !byteRange->Contains(bigLengthRange) ||
         !mContext->mSource->CachedReadAt(aOffset, bigLength,
-                                         sizeof(bigLengthRange), &bytes) ||
-        bytes != sizeof(bigLengthRange)) {
+                                         sizeof(bigLength), &bytes) ||
+        bytes != sizeof(bigLength)) {
       return;
     }
     size = BigEndian::readUint64(bigLength);
     mChildOffset = bigLengthRange.mEnd;
   } else {
     mChildOffset = headerRange.mEnd;
   }