media/formats/mp4/box_reader_unittest.cc - Issue 2648433002: MSE: Fix Mp4 SAIO parsing overflow

Side by Side Diff: media/formats/mp4/box_reader_unittest.cc

Issue 2648433002: MSE: Fix Mp4 SAIO parsing overflow (Closed)

Patch Set: Feedback Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "media/formats/mp4/box_reader.h"	5 #include "media/formats/mp4/box_reader.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8 #include <string.h>	8 #include <string.h>

9	9

10 #include <memory>	10 #include <memory>

(...skipping 349 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
360 EXPECT_MEDIA_LOG(	360 EXPECT_MEDIA_LOG(

361 HasSubstr("Extreme TRUN sample count exceeds system address space"))	361 HasSubstr("Extreme TRUN sample count exceeds system address space"))

362 .Times(kOverflowLogCount);	362 .Times(kOverflowLogCount);

363	363

364 // Reading the child should fail since the number of samples specified	364 // Reading the child should fail since the number of samples specified

365 // doesn't match what is in the box.	365 // doesn't match what is in the box.

366 std::vector<TrackFragmentRun> children;	366 std::vector<TrackFragmentRun> children;

367 EXPECT_FALSE(reader->ReadAllChildrenAndCheckFourCC(&children));	367 EXPECT_FALSE(reader->ReadAllChildrenAndCheckFourCC(&children));

368 }	368 }

369	369

	370 TEST_F(BoxReaderTest, SaioCount32bitOverflow) {

	371 // This data is not a valid 'emsg' box. It is just used as a top-level box

	372 // as ReadTopLevelBox() has a restricted set of boxes it allows.

	373 // The nested 'saio' box specifies an unusually high number of offset counts,

	374 // though only one offset is actually included in the box. The values for

	375 // "count" and "version" are chosen such that the needed number of bytes will

	376 // overflow to a very small number (4), leading to incorrect assumptions about

	377 // bytes available and ultimately OOB reads. http://crbug.com/679641

	378 static const uint8_t kData[] = {

	379 0x00, 0x00, 0x00, 0x1c, 'e', 'm', 's', 'g', // outer box

	380 0x00, 0x00, 0x00, 0x14, 's', 'a', 'i', 'o', // nested box

	381 0x00, 0x00, // version = 0 (4 bytes per offset entry)

	382 0x00, 0x00, // flags = 0

	383 0x40, 0x00, 0x00, 0x01, // offsets count = 1073741825

	384 0x00, 0x00, 0x00, 0x00, // single offset entry

	385 };

	386

	387 bool err;

	388 std::unique_ptr<BoxReader> reader(

	389 BoxReader::ReadTopLevelBox(kData, sizeof(kData), media_log_, &err));

	390

	391 EXPECT_FALSE(err);

	392 EXPECT_TRUE(reader);

	393 EXPECT_EQ(FOURCC_EMSG, reader->type());

	394

	395 // Overflow is only triggered/caught on 32-bit systems. 64-bit systems will

	396 // instead fail parsing because kData does not have enough bytes to describe

	397 // the large number of samples.

	398 #if defined(ARCH_CPU_32_BITS)

	399 const int kOverflowLogCount = 1;

	400 #else

	401 const int kOverflowLogCount = 0;

	402 #endif

	403

	404 EXPECT_MEDIA_LOG(

	405 HasSubstr("Extreme SAIO count exceeds implementation limit."))

	406 .Times(kOverflowLogCount);

	407

	408 std::vector<SampleAuxiliaryInformationOffset> children;

	409 EXPECT_FALSE(reader->ReadAllChildrenAndCheckFourCC(&children));

	410 }

	411

370 } // namespace mp4	412 } // namespace mp4

371 } // namespace media	413 } // namespace media

OLD	NEW

« no previous file with comments | « media/formats/mp4/box_definitions.cc ('k') | no next file » | no next file with comments »