Chromium Code Reviews Chromium Code Reviews
Issue 2648433002:
MSE: Fix Mp4 SAIO parsing overflow (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "media/formats/mp4/box_definitions.h" | 5 #include "media/formats/mp4/box_definitions.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 117 const SampleAuxiliaryInformationOffset& other) = default; | 117 const SampleAuxiliaryInformationOffset& other) = default; |
| 118 SampleAuxiliaryInformationOffset::~SampleAuxiliaryInformationOffset() {} | 118 SampleAuxiliaryInformationOffset::~SampleAuxiliaryInformationOffset() {} |
| 119 FourCC SampleAuxiliaryInformationOffset::BoxType() const { return FOURCC_SAIO; } | 119 FourCC SampleAuxiliaryInformationOffset::BoxType() const { return FOURCC_SAIO; } |
| 120 | 120 |
| 121 bool SampleAuxiliaryInformationOffset::Parse(BoxReader* reader) { | 121 bool SampleAuxiliaryInformationOffset::Parse(BoxReader* reader) { |
| 122 RCHECK(reader->ReadFullBoxHeader()); | 122 RCHECK(reader->ReadFullBoxHeader()); |
| 123 if (reader->flags() & 1) | 123 if (reader->flags() & 1) |
| 124 RCHECK(reader->SkipBytes(8)); | 124 RCHECK(reader->SkipBytes(8)); |
| 125 | 125 |
| 126 uint32_t count; | 126 uint32_t count; |
| 127 RCHECK(reader->Read4(&count) && | 127 RCHECK(reader->Read4(&count)); |
| 128 reader->HasBytes(count * (reader->version() == 1 ? 8 : 4))); | 128 int bytes_per_offset = reader->version() == 1 ? 8 : 4; |
| 129 | |
| 130 // |bytes_needed| is potentially 64-bit. Cast |count| from uint32_t to size_t | |
| 131 // to avoid multiplication overflow. | |
|
sandersd (OOO until July 31)
2017/01/18 23:09:01
This comment should explain that we want size_t to
chcunningham
2017/01/18 23:43:50
Done.
| |
| 132 base::CheckedNumeric<size_t> bytes_needed = | |
| 133 base::CheckMul(bytes_per_offset, static_cast<size_t>(count)); | |
| 134 RCHECK_MEDIA_LOGGED(bytes_needed.IsValid(), reader->media_log(), | |
| 135 "Extreme SAIO count exceeds implementation limit."); | |
| 136 RCHECK(reader->HasBytes(bytes_needed.ValueOrDie())); | |
| 137 | |
| 138 RCHECK(count <= offsets.max_size()); | |
| 129 offsets.resize(count); | 139 offsets.resize(count); |
| 130 | 140 |
| 131 for (uint32_t i = 0; i < count; i++) { | 141 for (uint32_t i = 0; i < count; i++) { |
| 132 if (reader->version() == 1) { | 142 if (reader->version() == 1) { |
| 133 RCHECK(reader->Read8(&offsets[i])); | 143 RCHECK(reader->Read8(&offsets[i])); |
| 134 } else { | 144 } else { |
| 135 RCHECK(reader->Read4Into8(&offsets[i])); | 145 RCHECK(reader->Read4Into8(&offsets[i])); |
| 136 } | 146 } |
| 137 } | 147 } |
| 138 return true; | 148 return true; |
| (...skipping 1220 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1359 SampleDependsOn IndependentAndDisposableSamples::sample_depends_on( | 1369 SampleDependsOn IndependentAndDisposableSamples::sample_depends_on( |
| 1360 size_t i) const { | 1370 size_t i) const { |
| 1361 if (i >= sample_depends_on_.size()) | 1371 if (i >= sample_depends_on_.size()) |
| 1362 return kSampleDependsOnUnknown; | 1372 return kSampleDependsOnUnknown; |
| 1363 | 1373 |
| 1364 return sample_depends_on_[i]; | 1374 return sample_depends_on_[i]; |
| 1365 } | 1375 } |
| 1366 | 1376 |
| 1367 } // namespace mp4 | 1377 } // namespace mp4 |
| 1368 } // namespace media | 1378 } // namespace media |
| OLD | NEW |
