media/formats/mp4/box_reader_unittest.cc - Issue 2648433002: MSE: Fix Mp4 SAIO parsing overflow

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: media/formats/mp4/box_reader_unittest.cc

Issue 2648433002: MSE: Fix Mp4 SAIO parsing overflow (Closed)

Patch Set: Feedback Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: media/formats/mp4/box_reader_unittest.cc

diff --git a/media/formats/mp4/box_reader_unittest.cc b/media/formats/mp4/box_reader_unittest.cc

index b416ab55eebb46b906afff216b2bcb596783d531..eefc9ef05da0183538e1309a20f311a34320e36d 100644

--- a/media/formats/mp4/box_reader_unittest.cc

+++ b/media/formats/mp4/box_reader_unittest.cc

@@ -367,5 +367,47 @@ TEST_F(BoxReaderTest, TrunSampleCount32bitOverflow) {

EXPECT_FALSE(reader->ReadAllChildrenAndCheckFourCC(&children));

}

+TEST_F(BoxReaderTest, SaioCount32bitOverflow) {

+ // This data is not a valid 'emsg' box. It is just used as a top-level box

+ // as ReadTopLevelBox() has a restricted set of boxes it allows.

+ // The nested 'saio' box specifies an unusually high number of offset counts,

+ // though only one offset is actually included in the box. The values for

+ // "count" and "version" are chosen such that the needed number of bytes will

+ // overflow to a very small number (4), leading to incorrect assumptions about

+ // bytes available and ultimately OOB reads. http://crbug.com/679641

+ static const uint8_t kData[] = {

+ 0x00, 0x00, 0x00, 0x1c, 'e', 'm', 's', 'g', // outer box

+ 0x00, 0x00, 0x00, 0x14, 's', 'a', 'i', 'o', // nested box

+ 0x00, 0x00, // version = 0 (4 bytes per offset entry)

+ 0x00, 0x00, // flags = 0

+ 0x40, 0x00, 0x00, 0x01, // offsets count = 1073741825

+ 0x00, 0x00, 0x00, 0x00, // single offset entry

+ };

+ bool err;

+ std::unique_ptr<BoxReader> reader(

+ BoxReader::ReadTopLevelBox(kData, sizeof(kData), media_log_, &err));

+ EXPECT_FALSE(err);

+ EXPECT_TRUE(reader);

+ EXPECT_EQ(FOURCC_EMSG, reader->type());

+// Overflow is only triggered/caught on 32-bit systems. 64-bit systems will

+// instead fail parsing because kData does not have enough bytes to describe

+// the large number of samples.

+#if defined(ARCH_CPU_32_BITS)

+ const int kOverflowLogCount = 1;

+#else

+ const int kOverflowLogCount = 0;

+#endif

+ EXPECT_MEDIA_LOG(

+ HasSubstr("Extreme SAIO count exceeds implementation limit."))

+ .Times(kOverflowLogCount);

+ std::vector<SampleAuxiliaryInformationOffset> children;

+ EXPECT_FALSE(reader->ReadAllChildrenAndCheckFourCC(&children));

} // namespace mp4

} // namespace media

« no previous file with comments | « media/formats/mp4/box_definitions.cc ('k') | no next file » | no next file with comments »