Add extra checks to avoid integer overflow.

media/base/container_names.cc

Index: media/base/container_names.cc
diff --git a/media/base/container_names.cc b/media/base/container_names.cc
index 0f629f8a647575f0fd7a461857053bec9dace015..3279278b97c166a91a51a67a9308d864f23592db 100644
--- a/media/base/container_names.cc
+++ b/media/base/container_names.cc
@@ -123,7 +123,7 @@ static bool CheckAac(const uint8* buffer, int buffer_size) {
 
     // Get frame length (includes header).
     int size = ReadBits(&reader, 13);
-    RCHECK(size > 0);
+    RCHECK(size > 0 && size < 8192);

[DaleCurtis, 2014/10/24 17:37:01]

Why not < buffer_size ?

[jrummell, 2014/10/24 18:09:49]

RCHECK() returns false if the condition is not met. Having the offset go off the
end of the buffer may do something different (in this case it returns true), so
I didn't want to affect that.

And they're not really magic numbers. 2**13 = 8192, and is the largest value
that the line above should return. It doesn't add much, but makes it clear that
what gets added to offset is not close to maxint.

[xhwang, 2014/10/24 21:04:28]

Does the spec say the size can't be 8192?

[xhwang, 2014/10/24 21:04:59]

This is an old comment. Please ignore.

     offset += size;
   }
   return true;
@@ -190,7 +190,7 @@ static bool CheckEac3(const uint8* buffer, int buffer_size) {
 
     // Get frmsize. Include syncinfo size and convert to bytes.
     int frame_size = (ReadBits(&reader, 11) + 1) * 2;
-    RCHECK(frame_size >= 7);
+    RCHECK(frame_size >= 7 && frame_size <= 4096);

[DaleCurtis, 2014/10/24 17:37:01]

ditto?

 
     // Skip fscod, fscod2, acmod, and lfeon.
     reader.SkipBits(2 + 2 + 3 + 1);
@@ -295,7 +295,7 @@ static bool CheckDts(const uint8* buffer, int buffer_size) {
 
     // Verify primary frame byte size.
     int frame_size = ReadBits(&reader, 14);
-    RCHECK(frame_size >= 95);
+    RCHECK(frame_size >= 95 && frame_size < 16384);
 
     // Skip audio channel arrangement.
     reader.SkipBits(6);
@@ -669,6 +669,7 @@ static bool CheckMJpeg(const uint8* buffer, int buffer_size) {
     } else {
       // All remaining marker codes are followed by a length of the header.
       int length = Read16(buffer + offset + 2) + 2;
+      RCHECK(length > 0 && length < 65538);
 
       // Special handling of SOS (start of scan) marker since the entropy
       // coded data follows the SOS. Any xFF byte in the data block must be
@@ -786,7 +787,7 @@ static bool CheckMpeg2ProgramStream(const uint8* buffer, int buffer_size) {
         return true;
 
       int pes_length = Read16(buffer + offset + 4);
-      RCHECK(pes_length > 0);
+      RCHECK(pes_length > 0 && pes_length < 32768);
       offset = offset + 6 + pes_length;
     }
   }
@@ -985,7 +986,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) {
         break;  // Offset is way past buffer size.
       atomsize = Read32(buffer + offset + 12);
     }
-    if (atomsize <= 0)
+    if (atomsize <= 0 || atomsize > buffer_size)
       break;  // Indicates the last atom or length too big.
     offset += atomsize;
   }
@@ -1113,6 +1114,8 @@ static bool CheckMp3(const uint8* buffer, int buffer_size, bool seenHeader) {
     // Have we seen enough valid headers?
     if (++numSeen > 10)
       return true;
+
+    RCHECK(framesize > 0 && framesize < 8192);
     offset += framesize;
   }
   // Off the end of the buffer, return success if a few valid headers seen.