Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
659743004:
Add extra checks to avoid integer overflow. (Closed)
DescriptionAdd extra checks to avoid integer overflow.
BUG=425980
TEST=no crash with ASAN
Committed: https://crrev.com/b2006ac87cec58363090e7d5e10d5d9e3bbda9f9
Cr-Commit-Position: refs/heads/master@{#301249}
Patch Set 1 #
Total comments: 5
Patch Set 2 : remove other checks #
Total comments: 2
Patch Set 3 : size_t #Messages
Total messages: 14 (3 generated)
jrummell@chromium.org changed reviewers: + dalecurtis@chromium.org, xhwang@chromium.org
PTAL.
Ditto everywhere you have a seemingly magic value. https://codereview.chromium.org/659743004/diff/1/media/base/container_names.cc File media/base/container_names.cc (right): https://codereview.chromium.org/659743004/diff/1/media/base/container_names.c... media/base/container_names.cc:126: RCHECK(size > 0 && size < 8192); Why not < buffer_size ? https://codereview.chromium.org/659743004/diff/1/media/base/container_names.c... media/base/container_names.cc:193: RCHECK(frame_size >= 7 && frame_size <= 4096); ditto?
Comments only. https://codereview.chromium.org/659743004/diff/1/media/base/container_names.cc File media/base/container_names.cc (right): https://codereview.chromium.org/659743004/diff/1/media/base/container_names.c... media/base/container_names.cc:126: RCHECK(size > 0 && size < 8192); On 2014/10/24 17:37:01, DaleCurtis wrote: > Why not < buffer_size ? RCHECK() returns false if the condition is not met. Having the offset go off the end of the buffer may do something different (in this case it returns true), so I didn't want to affect that. And they're not really magic numbers. 2**13 = 8192, and is the largest value that the line above should return. It doesn't add much, but makes it clear that what gets added to offset is not close to maxint.
Updated to only do the check for MOV files.
lgtm https://codereview.chromium.org/659743004/diff/20001/media/base/container_nam... File media/base/container_names.cc (right): https://codereview.chromium.org/659743004/diff/20001/media/base/container_nam... media/base/container_names.cc:988: if (atomsize == 0 || atomsize > static_cast<unsigned>(buffer_size)) Hmm we don't typically use unsigned, maybe size_t instead?
lgtm % dale's comment about size_t https://codereview.chromium.org/659743004/diff/1/media/base/container_names.cc File media/base/container_names.cc (right): https://codereview.chromium.org/659743004/diff/1/media/base/container_names.c... media/base/container_names.cc:126: RCHECK(size > 0 && size < 8192); On 2014/10/24 18:09:49, jrummell wrote: > On 2014/10/24 17:37:01, DaleCurtis wrote: > > Why not < buffer_size ? > > RCHECK() returns false if the condition is not met. Having the offset go off the > end of the buffer may do something different (in this case it returns true), so > I didn't want to affect that. > > And they're not really magic numbers. 2**13 = 8192, and is the largest value > that the line above should return. It doesn't add much, but makes it clear that > what gets added to offset is not close to maxint. Does the spec say the size can't be 8192?
https://codereview.chromium.org/659743004/diff/1/media/base/container_names.cc File media/base/container_names.cc (right): https://codereview.chromium.org/659743004/diff/1/media/base/container_names.c... media/base/container_names.cc:126: RCHECK(size > 0 && size < 8192); On 2014/10/24 21:04:28, xhwang wrote: > On 2014/10/24 18:09:49, jrummell wrote: > > On 2014/10/24 17:37:01, DaleCurtis wrote: > > > Why not < buffer_size ? > > > > RCHECK() returns false if the condition is not met. Having the offset go off > the > > end of the buffer may do something different (in this case it returns true), > so > > I didn't want to affect that. > > > > And they're not really magic numbers. 2**13 = 8192, and is the largest value > > that the line above should return. It doesn't add much, but makes it clear > that > > what gets added to offset is not close to maxint. > > Does the spec say the size can't be 8192? This is an old comment. Please ignore.
Patchset #3 (id:40001) has been deleted
Thanks for the reviews. https://codereview.chromium.org/659743004/diff/20001/media/base/container_nam... File media/base/container_names.cc (right): https://codereview.chromium.org/659743004/diff/20001/media/base/container_nam... media/base/container_names.cc:988: if (atomsize == 0 || atomsize > static_cast<unsigned>(buffer_size)) On 2014/10/24 20:51:35, DaleCurtis wrote: > Hmm we don't typically use unsigned, maybe size_t instead? Done.
The CQ bit was checked by jrummell@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/659743004/60001
Message was sent while issue was closed.
Committed patchset #3 (id:60001)
Message was sent while issue was closed.
Patchset 3 (id:??) landed as https://crrev.com/b2006ac87cec58363090e7d5e10d5d9e3bbda9f9 Cr-Commit-Position: refs/heads/master@{#301249} |
