Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(54)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: media/formats/mp2t/es_parser_h264.cc

Issue 1896533002: Check frame coded size in H264 parsers to avoid integer overflows (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« content/common/gpu/media/h264_decoder.cc ('K') | « content/common/gpu/media/h264_decoder.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "media/formats/mp2t/es_parser_h264.h" 5 #include "media/formats/mp2t/es_parser_h264.h"
6 6
7 #include <limits>
8
7 #include "base/logging.h" 9 #include "base/logging.h"
8 #include "base/numerics/safe_conversions.h" 10 #include "base/numerics/safe_conversions.h"
9 #include "media/base/encryption_scheme.h" 11 #include "media/base/encryption_scheme.h"
10 #include "media/base/media_util.h" 12 #include "media/base/media_util.h"
11 #include "media/base/stream_parser_buffer.h" 13 #include "media/base/stream_parser_buffer.h"
12 #include "media/base/timestamp_constants.h" 14 #include "media/base/timestamp_constants.h"
13 #include "media/base/video_frame.h" 15 #include "media/base/video_frame.h"
14 #include "media/filters/h264_parser.h" 16 #include "media/filters/h264_parser.h"
15 #include "media/formats/common/offset_byte_queue.h" 17 #include "media/formats/common/offset_byte_queue.h"
16 #include "media/formats/mp2t/mp2t_common.h" 18 #include "media/formats/mp2t/mp2t_common.h"
(...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after
290 } 292 }
291 293
292 bool EsParserH264::UpdateVideoDecoderConfig(const H264SPS* sps, 294 bool EsParserH264::UpdateVideoDecoderConfig(const H264SPS* sps,
293 const EncryptionScheme& scheme) { 295 const EncryptionScheme& scheme) {
294 // Set the SAR to 1 when not specified in the H264 stream. 296 // Set the SAR to 1 when not specified in the H264 stream.
295 int sar_width = (sps->sar_width == 0) ? 1 : sps->sar_width; 297 int sar_width = (sps->sar_width == 0) ? 1 : sps->sar_width;
296 int sar_height = (sps->sar_height == 0) ? 1 : sps->sar_height; 298 int sar_height = (sps->sar_height == 0) ? 1 : sps->sar_height;
297 299
298 // TODO(damienv): a MAP unit can be either 16 or 32 pixels. 300 // TODO(damienv): a MAP unit can be either 16 or 32 pixels.
299 // although it's 16 pixels for progressive non MBAFF frames. 301 // although it's 16 pixels for progressive non MBAFF frames.
300 gfx::Size coded_size((sps->pic_width_in_mbs_minus1 + 1) * 16, 302 int width_mb = sps->pic_width_in_mbs_minus1 + 1;
301 (sps->pic_height_in_map_units_minus1 + 1) * 16); 303 int height_mb = sps->pic_height_in_map_units_minus1 + 1;
304 if (width_mb > std::numeric_limits<int>::max() / 16 ||
305 height_mb > std::numeric_limits<int>::max() / 16) {
306 DVLOG(1) << "Picture size is too big: width_mb=" << width_mb
307 << " height_mb=" << height_mb;
308 return false;
309 }
310
311 gfx::Size coded_size(16 * width_mb, 16 * height_mb);
302 gfx::Rect visible_rect( 312 gfx::Rect visible_rect(
303 sps->frame_crop_left_offset, 313 sps->frame_crop_left_offset,
304 sps->frame_crop_top_offset, 314 sps->frame_crop_top_offset,
305 (coded_size.width() - sps->frame_crop_right_offset) - 315 (coded_size.width() - sps->frame_crop_right_offset) -
306 sps->frame_crop_left_offset, 316 sps->frame_crop_left_offset,
307 (coded_size.height() - sps->frame_crop_bottom_offset) - 317 (coded_size.height() - sps->frame_crop_bottom_offset) -
308 sps->frame_crop_top_offset); 318 sps->frame_crop_top_offset);
309 if (visible_rect.width() <= 0 || visible_rect.height() <= 0) 319 if (visible_rect.width() <= 0 || visible_rect.height() <= 0)
310 return false; 320 return false;
311 gfx::Size natural_size( 321 gfx::Size natural_size(
(...skipping 18 matching lines...) Expand all
330 << " height=" << sps->sar_height; 340 << " height=" << sps->sar_height;
331 last_video_decoder_config_ = video_decoder_config; 341 last_video_decoder_config_ = video_decoder_config;
332 es_adapter_.OnConfigChanged(video_decoder_config); 342 es_adapter_.OnConfigChanged(video_decoder_config);
333 } 343 }
334 344
335 return true; 345 return true;
336 } 346 }
337 347
338 } // namespace mp2t 348 } // namespace mp2t
339 } // namespace media 349 } // namespace media
OLDNEW
« content/common/gpu/media/h264_decoder.cc ('K') | « content/common/gpu/media/h264_decoder.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698