| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "media/formats/mp4/box_definitions.h" | 5 #include "media/formats/mp4/box_definitions.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 const SampleAuxiliaryInformationOffset& other) = default; | 117 const SampleAuxiliaryInformationOffset& other) = default; |
| 118 SampleAuxiliaryInformationOffset::~SampleAuxiliaryInformationOffset() {} | 118 SampleAuxiliaryInformationOffset::~SampleAuxiliaryInformationOffset() {} |
| 119 FourCC SampleAuxiliaryInformationOffset::BoxType() const { return FOURCC_SAIO; } | 119 FourCC SampleAuxiliaryInformationOffset::BoxType() const { return FOURCC_SAIO; } |
| 120 | 120 |
| 121 bool SampleAuxiliaryInformationOffset::Parse(BoxReader* reader) { | 121 bool SampleAuxiliaryInformationOffset::Parse(BoxReader* reader) { |
| 122 RCHECK(reader->ReadFullBoxHeader()); | 122 RCHECK(reader->ReadFullBoxHeader()); |
| 123 if (reader->flags() & 1) | 123 if (reader->flags() & 1) |
| 124 RCHECK(reader->SkipBytes(8)); | 124 RCHECK(reader->SkipBytes(8)); |
| 125 | 125 |
| 126 uint32_t count; | 126 uint32_t count; |
| 127 RCHECK(reader->Read4(&count) && | 127 RCHECK(reader->Read4(&count)); |
| 128 reader->HasBytes(count * (reader->version() == 1 ? 8 : 4))); | 128 int bytes_per_offset = reader->version() == 1 ? 8 : 4; |
| 129 |
| 130 // Cast |count| to size_t before multiplying to support maximum platform size. |
| 131 base::CheckedNumeric<size_t> bytes_needed = |
| 132 base::CheckMul(bytes_per_offset, static_cast<size_t>(count)); |
| 133 RCHECK_MEDIA_LOGGED(bytes_needed.IsValid(), reader->media_log(), |
| 134 "Extreme SAIO count exceeds implementation limit."); |
| 135 RCHECK(reader->HasBytes(bytes_needed.ValueOrDie())); |
| 136 |
| 137 RCHECK(count <= offsets.max_size()); |
| 129 offsets.resize(count); | 138 offsets.resize(count); |
| 130 | 139 |
| 131 for (uint32_t i = 0; i < count; i++) { | 140 for (uint32_t i = 0; i < count; i++) { |
| 132 if (reader->version() == 1) { | 141 if (reader->version() == 1) { |
| 133 RCHECK(reader->Read8(&offsets[i])); | 142 RCHECK(reader->Read8(&offsets[i])); |
| 134 } else { | 143 } else { |
| 135 RCHECK(reader->Read4Into8(&offsets[i])); | 144 RCHECK(reader->Read4Into8(&offsets[i])); |
| 136 } | 145 } |
| 137 } | 146 } |
| 138 return true; | 147 return true; |
| (...skipping 978 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1117 data_offset = 0; | 1126 data_offset = 0; |
| 1118 } | 1127 } |
| 1119 | 1128 |
| 1120 uint32_t first_sample_flags = 0; | 1129 uint32_t first_sample_flags = 0; |
| 1121 if (first_sample_flags_present) | 1130 if (first_sample_flags_present) |
| 1122 RCHECK(reader->Read4(&first_sample_flags)); | 1131 RCHECK(reader->Read4(&first_sample_flags)); |
| 1123 | 1132 |
| 1124 int fields = sample_duration_present + sample_size_present + | 1133 int fields = sample_duration_present + sample_size_present + |
| 1125 sample_flags_present + sample_composition_time_offsets_present; | 1134 sample_flags_present + sample_composition_time_offsets_present; |
| 1126 | 1135 |
| 1127 // |bytes_needed| is potentially 64-bit. Cast |sample_count| from uint32_t to | 1136 // Cast |sample_count| to size_t before multiplying to support maximum |
| 1128 // size_t to avoid multiplication overflow. | 1137 // platform size. |
| 1129 base::CheckedNumeric<size_t> bytes_needed = | 1138 base::CheckedNumeric<size_t> bytes_needed = |
| 1130 base::CheckMul(fields, static_cast<size_t>(sample_count)); | 1139 base::CheckMul(fields, static_cast<size_t>(sample_count)); |
| 1131 RCHECK_MEDIA_LOGGED(bytes_needed.IsValid(), reader->media_log(), | 1140 RCHECK_MEDIA_LOGGED(bytes_needed.IsValid(), reader->media_log(), |
| 1132 "Extreme TRUN sample count exceeds system address space"); | 1141 "Extreme TRUN sample count exceeds system address space"); |
| 1133 RCHECK(reader->HasBytes(bytes_needed.ValueOrDie())); | 1142 RCHECK(reader->HasBytes(bytes_needed.ValueOrDie())); |
| 1134 | 1143 |
| 1135 if (sample_duration_present) { | 1144 if (sample_duration_present) { |
| 1136 RCHECK(sample_count <= sample_durations.max_size()); | 1145 RCHECK(sample_count <= sample_durations.max_size()); |
| 1137 sample_durations.resize(sample_count); | 1146 sample_durations.resize(sample_count); |
| 1138 } | 1147 } |
| (...skipping 220 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1359 SampleDependsOn IndependentAndDisposableSamples::sample_depends_on( | 1368 SampleDependsOn IndependentAndDisposableSamples::sample_depends_on( |
| 1360 size_t i) const { | 1369 size_t i) const { |
| 1361 if (i >= sample_depends_on_.size()) | 1370 if (i >= sample_depends_on_.size()) |
| 1362 return kSampleDependsOnUnknown; | 1371 return kSampleDependsOnUnknown; |
| 1363 | 1372 |
| 1364 return sample_depends_on_[i]; | 1373 return sample_depends_on_[i]; |
| 1365 } | 1374 } |
| 1366 | 1375 |
| 1367 } // namespace mp4 | 1376 } // namespace mp4 |
| 1368 } // namespace media | 1377 } // namespace media |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2648433002:
MSE: Fix Mp4 SAIO parsing overflow (Closed)
