Bug 1186718 - Ensure ESDS have valid size. r=kentuckyfriedtakahe, a=lmandel
authorJean-Yves Avenard <jyavenard@mozilla.com>
Mon, 27 Jul 2015 16:25:17 -0400
changeset 275479 64fb14a330e36c02b6c7ae794dbaa5b19f0949a7
parent 275478 df25d99a85a2430b8b95bfdfb4e57f1cd3bee0e1
child 275480 a07b1ad5a0779f27c28358eedef136189b51c860
child 275482 6e885fb17596e47f223c9b591cfca8e797858d28
child 275484 dd9232b36d1aea8146a8ed1af7279ff2dbcdc824
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskentuckyfriedtakahe, lmandel
bugs1186718
milestone40.0
Bug 1186718 - Ensure ESDS have valid size. r=kentuckyfriedtakahe, a=lmandel
media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/ESDS.cpp
@@ -133,33 +133,43 @@ status_t ESDS::parseESDescriptor(size_t 
     unsigned URL_Flag = mData[offset] & 0x40;
     unsigned OCRstreamFlag = mData[offset] & 0x20;
 
     ++offset;
     --size;
 
     if (streamDependenceFlag) {
         offset += 2;
+        if (size <= 2) {
+            return ERROR_MALFORMED;
+        }
         size -= 2;
     }
 
     if (URL_Flag) {
         if (offset >= size) {
             return ERROR_MALFORMED;
         }
         unsigned URLlength = mData[offset];
         offset += URLlength + 1;
+        if (size <= URLlength + 1) {
+            return ERROR_MALFORMED;
+        }
         size -= URLlength + 1;
     }
 
     if (OCRstreamFlag) {
         offset += 2;
+        if (size <= 2) {
+            return ERROR_MALFORMED;
+        }
         size -= 2;
 
         if ((offset >= size || mData[offset] != kTag_DecoderConfigDescriptor)
+                && offset >= 2
                 && offset - 2 < size
                 && mData[offset - 2] == kTag_DecoderConfigDescriptor) {
             // Content found "in the wild" had OCRstreamFlag set but was
             // missing OCR_ES_Id, the decoder config descriptor immediately
             // followed instead.
             offset -= 2;
             size += 2;