Bug 1274637 - Detect OOB copy attempts in clearkey decryptor - r=cpearce, a=ritu
authorGerald Squelart <gsquelart@mozilla.com>
Thu, 26 May 2016 19:46:40 +0200
changeset 341837 31348bf997584cddcac6d741c1070c03f4a5ca5c
parent 341836 c6b972226566ca6230a11b58577178f5992c1064
child 341838 d219f175e1802a357e64a7b7d9159f6ef8b3afcc
push id1183
push userraliiev@mozilla.com
push dateMon, 05 Sep 2016 20:01:49 +0000
treeherdermozilla-release@3148731bed45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscpearce, ritu
bugs1274637
milestone49.0a2
Bug 1274637 - Detect OOB copy attempts in clearkey decryptor - r=cpearce, a=ritu MozReview-Commit-ID: LgXe8xrQvzs
media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp
--- a/media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp
+++ b/media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp
@@ -177,16 +177,20 @@ ClearKeyDecryptor::Decrypt(uint8_t* aBuf
   if (aMetadata.NumSubsamples()) {
     // Take all encrypted parts of subsamples and stitch them into one
     // continuous encrypted buffer.
     uint8_t* data = aBuffer;
     uint8_t* iter = &tmp[0];
     for (size_t i = 0; i < aMetadata.NumSubsamples(); i++) {
       data += aMetadata.mClearBytes[i];
       uint32_t cipherBytes = aMetadata.mCipherBytes[i];
+      if (data + cipherBytes > aBuffer + aBufferSize) {
+        // Trying to read past the end of the buffer!
+        return GMPCryptoErr;
+      }
 
       memcpy(iter, data, cipherBytes);
 
       data += cipherBytes;
       iter += cipherBytes;
     }
 
     tmp.resize((size_t)(iter - &tmp[0]));