Chromium Code Reviews Chromium Code Reviews
Issue 659743004:
Add extra checks to avoid integer overflow. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: media/base/container_names.cc |
| diff --git a/media/base/container_names.cc b/media/base/container_names.cc |
| index 0f629f8a647575f0fd7a461857053bec9dace015..b69c3e3a5d16a0cd990c67eba2562564c28cb862 100644 |
| --- a/media/base/container_names.cc |
| +++ b/media/base/container_names.cc |
| @@ -954,7 +954,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) { |
| int offset = 0; |
| while (offset + 8 < buffer_size) { |
| - int atomsize = Read32(buffer + offset); |
| + uint32 atomsize = Read32(buffer + offset); |
| uint32 atomtype = Read32(buffer + offset + 4); |
| // Only need to check for ones that are valid at the top level. |
| switch (atomtype) { |
| @@ -985,7 +985,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) { |
| break; // Offset is way past buffer size. |
| atomsize = Read32(buffer + offset + 12); |
| } |
| - if (atomsize <= 0) |
| + if (atomsize == 0 || atomsize > static_cast<unsigned>(buffer_size)) |
|
DaleCurtis
2014/10/24 20:51:35
Hmm we don't typically use unsigned, maybe size_t
jrummell
2014/10/24 23:18:29
Done.
|
| break; // Indicates the last atom or length too big. |
| offset += atomsize; |
| } |
