media/filters/h264_parser.cc - Issue 2300253002: H264Parser: Check bounds for |expected_delta_per_pic_order_cnt_cycle|

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: media/filters/h264_parser.cc

Issue 2300253002: H264Parser: Check bounds for |expected_delta_per_pic_order_cnt_cycle| (Closed)

Patch Set: Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: media/filters/h264_parser.cc

diff --git a/media/filters/h264_parser.cc b/media/filters/h264_parser.cc

index 0c84c47533f284e3a5f26cb975da50fc014df338..991599e2accd577a09e05c85edb52b596e599ffb 100644

--- a/media/filters/h264_parser.cc

+++ b/media/filters/h264_parser.cc

@@ -9,6 +9,7 @@

#include "base/logging.h"

#include "base/macros.h"

+#include "base/numerics/safe_math.h"

#include "base/stl_util.h"

#include "media/base/decrypt_config.h"

#include "ui/gfx/geometry/rect.h"

@@ -947,10 +948,10 @@ H264Parser::Result H264Parser::ParseSPS(int* sps_id) {

READ_UE_OR_RETURN(&sps->pic_order_cnt_type);

TRUE_OR_RETURN(sps->pic_order_cnt_type < 3);

- sps->expected_delta_per_pic_order_cnt_cycle = 0;

if (sps->pic_order_cnt_type == 0) {

READ_UE_OR_RETURN(&sps->log2_max_pic_order_cnt_lsb_minus4);

TRUE_OR_RETURN(sps->log2_max_pic_order_cnt_lsb_minus4 < 13);

+ sps->expected_delta_per_pic_order_cnt_cycle = 0;

} else if (sps->pic_order_cnt_type == 1) {

READ_BOOL_OR_RETURN(&sps->delta_pic_order_always_zero_flag);

READ_SE_OR_RETURN(&sps->offset_for_non_ref_pic);

@@ -958,11 +959,14 @@ H264Parser::Result H264Parser::ParseSPS(int* sps_id) {

READ_UE_OR_RETURN(&sps->num_ref_frames_in_pic_order_cnt_cycle);

TRUE_OR_RETURN(sps->num_ref_frames_in_pic_order_cnt_cycle < 255);

+ base::CheckedNumeric<int> offset_acc = 0;

for (int i = 0; i < sps->num_ref_frames_in_pic_order_cnt_cycle; ++i) {

READ_SE_OR_RETURN(&sps->offset_for_ref_frame[i]);

- sps->expected_delta_per_pic_order_cnt_cycle +=

- sps->offset_for_ref_frame[i];

+ offset_acc += sps->offset_for_ref_frame[i];

}

+ if (!offset_acc.IsValid())

+ return kInvalidStream;

+ sps->expected_delta_per_pic_order_cnt_cycle = offset_acc.ValueOrDefault(0);

}

READ_UE_OR_RETURN(&sps->max_num_ref_frames);

« no previous file with comments | « no previous file | no next file » | no next file with comments »