Index: media/base/container_names.cc |
diff --git a/media/base/container_names.cc b/media/base/container_names.cc |
index 0f629f8a647575f0fd7a461857053bec9dace015..3279278b97c166a91a51a67a9308d864f23592db 100644 |
--- a/media/base/container_names.cc |
+++ b/media/base/container_names.cc |
@@ -123,7 +123,7 @@ static bool CheckAac(const uint8* buffer, int buffer_size) { |
// Get frame length (includes header). |
int size = ReadBits(&reader, 13); |
- RCHECK(size > 0); |
+ RCHECK(size > 0 && size < 8192); |
DaleCurtis
2014/10/24 17:37:01
Why not < buffer_size ?
jrummell
2014/10/24 18:09:49
RCHECK() returns false if the condition is not met
xhwang
2014/10/24 21:04:28
Does the spec say the size can't be 8192?
xhwang
2014/10/24 21:04:59
This is an old comment. Please ignore.
|
offset += size; |
} |
return true; |
@@ -190,7 +190,7 @@ static bool CheckEac3(const uint8* buffer, int buffer_size) { |
// Get frmsize. Include syncinfo size and convert to bytes. |
int frame_size = (ReadBits(&reader, 11) + 1) * 2; |
- RCHECK(frame_size >= 7); |
+ RCHECK(frame_size >= 7 && frame_size <= 4096); |
DaleCurtis
2014/10/24 17:37:01
ditto?
|
// Skip fscod, fscod2, acmod, and lfeon. |
reader.SkipBits(2 + 2 + 3 + 1); |
@@ -295,7 +295,7 @@ static bool CheckDts(const uint8* buffer, int buffer_size) { |
// Verify primary frame byte size. |
int frame_size = ReadBits(&reader, 14); |
- RCHECK(frame_size >= 95); |
+ RCHECK(frame_size >= 95 && frame_size < 16384); |
// Skip audio channel arrangement. |
reader.SkipBits(6); |
@@ -669,6 +669,7 @@ static bool CheckMJpeg(const uint8* buffer, int buffer_size) { |
} else { |
// All remaining marker codes are followed by a length of the header. |
int length = Read16(buffer + offset + 2) + 2; |
+ RCHECK(length > 0 && length < 65538); |
// Special handling of SOS (start of scan) marker since the entropy |
// coded data follows the SOS. Any xFF byte in the data block must be |
@@ -786,7 +787,7 @@ static bool CheckMpeg2ProgramStream(const uint8* buffer, int buffer_size) { |
return true; |
int pes_length = Read16(buffer + offset + 4); |
- RCHECK(pes_length > 0); |
+ RCHECK(pes_length > 0 && pes_length < 32768); |
offset = offset + 6 + pes_length; |
} |
} |
@@ -985,7 +986,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) { |
break; // Offset is way past buffer size. |
atomsize = Read32(buffer + offset + 12); |
} |
- if (atomsize <= 0) |
+ if (atomsize <= 0 || atomsize > buffer_size) |
break; // Indicates the last atom or length too big. |
offset += atomsize; |
} |
@@ -1113,6 +1114,8 @@ static bool CheckMp3(const uint8* buffer, int buffer_size, bool seenHeader) { |
// Have we seen enough valid headers? |
if (++numSeen > 10) |
return true; |
+ |
+ RCHECK(framesize > 0 && framesize < 8192); |
offset += framesize; |
} |
// Off the end of the buffer, return success if a few valid headers seen. |