MSE: Fix Mp4 SAIO parsing overflow

MSE: Fix Mp4 SAIO parsing overflow

SampleAuxiliaryInformationOffset::Parse
count can take any value between 0x0 and 0xffffffff. We must
check for size_t overflow when multiplying count by
"bytes_per_offset". We should also avoid attempting to resize vectors
beyond their max_size() (potential OOB depending on stl library impl).

BUG=679641
TEST=unit test, manual verification of POC.

Review-Url: https://codereview.chromium.org/2648433002
Cr-Commit-Position: refs/heads/master@{#444584}
Committed: https://chromium.googlesource.com/chromium/src/+/5041e28550903b40c925d66f6bb5bb6a6baed15b

[chcunningham, 2017-01-18 22:40:24]

The CQ bit was checked by chcunningham@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-18 22:40:50]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[chcunningham, 2017-01-18 22:43:33]

chcunningham@chromium.org changed reviewers:
+ sandersd@chromium.org

[chcunningham, 2017-01-18 22:43:33]

Hey Dan, here's review 2/6 for the OOB bugs filed on box_defintions.cc. Dale
took 1/6 (dependent CL), but I'm trying to shard around.

[sandersd (OOO until July 31), 2017-01-18 23:09:01]

lgtm % comment nit.

https://codereview.chromium.org/2648433002/diff/20001/media/formats/mp4/box_d...
File media/formats/mp4/box_definitions.cc (right):

https://codereview.chromium.org/2648433002/diff/20001/media/formats/mp4/box_d...
media/formats/mp4/box_definitions.cc:131: // to avoid multiplication overflow.
This comment should explain that we want size_t to support the maximum size on
any platform. I'd remove the part about overflow, that's clear from the use of
CheckMul and having it makes it look like the two statements are related.

[chcunningham, 2017-01-18 23:43:51]

Thanks!

https://codereview.chromium.org/2648433002/diff/20001/media/formats/mp4/box_d...
File media/formats/mp4/box_definitions.cc (right):

https://codereview.chromium.org/2648433002/diff/20001/media/formats/mp4/box_d...
media/formats/mp4/box_definitions.cc:131: // to avoid multiplication overflow.
On 2017/01/18 23:09:01, sandersd wrote:
> This comment should explain that we want size_t to support the maximum size on
> any platform. I'd remove the part about overflow, that's clear from the use of
> CheckMul and having it makes it look like the two statements are related.

Done.

[chcunningham, 2017-01-18 23:43:55]

The CQ bit was checked by chcunningham@chromium.org

[chcunningham, 2017-01-18 23:43:55]

The patchset sent to the CQ was uploaded after l-g-t-m from
sandersd@chromium.org
Link to the patchset: https://codereview.chromium.org/2648433002/#ps60001
(title: "Feedback")

[commit-bot: I haz the power, 2017-01-18 23:45:10]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-19 01:19:08]

CQ is committing da patch.

Bot data: {"patchset_id": 60001, "attempt_start_ts": 1484783035182830,
"parent_rev": "c968f85cafa23bd24bb6d4a8f73b0cfc0bac2af5", "commit_rev":
"5041e28550903b40c925d66f6bb5bb6a6baed15b"}

[commit-bot: I haz the power, 2017-01-19 01:20:06]

Description was changed from

==========
MSE: Fix Mp4 SAIO parsing overflow

SampleAuxiliaryInformationOffset::Parse
count can take any value between 0x0 and 0xffffffff. We must
check for size_t overflow when multiplying count by
"bytes_per_offset". We should also avoid attempting to resize vectors
beyond their max_size() (potential OOB depending on stl library impl).

BUG=679641
TEST=unit test, manual verification of POC.
==========

to

==========
MSE: Fix Mp4 SAIO parsing overflow

SampleAuxiliaryInformationOffset::Parse
count can take any value between 0x0 and 0xffffffff. We must
check for size_t overflow when multiplying count by
"bytes_per_offset". We should also avoid attempting to resize vectors
beyond their max_size() (potential OOB depending on stl library impl).

BUG=679641
TEST=unit test, manual verification of POC.

Review-Url: https://codereview.chromium.org/2648433002
Cr-Commit-Position: refs/heads/master@{#444584}
Committed:
https://chromium.googlesource.com/chromium/src/+/5041e28550903b40c925d66f6bb5...
==========

[commit-bot: I haz the power, 2017-01-19 01:20:07]

Committed patchset #4 (id:60001) as
https://chromium.googlesource.com/chromium/src/+/5041e28550903b40c925d66f6bb5...