Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1235)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: media/base/container_names.cc

Issue 659743004: Add extra checks to avoid integer overflow. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: size_t Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: media/base/container_names.cc
diff --git a/media/base/container_names.cc b/media/base/container_names.cc
index 0f629f8a647575f0fd7a461857053bec9dace015..7b188b6b04cd8b255021a1d9b523b51c08d2ae29 100644
--- a/media/base/container_names.cc
+++ b/media/base/container_names.cc
@@ -954,7 +954,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) {
int offset = 0;
while (offset + 8 < buffer_size) {
- int atomsize = Read32(buffer + offset);
+ uint32 atomsize = Read32(buffer + offset);
uint32 atomtype = Read32(buffer + offset + 4);
// Only need to check for ones that are valid at the top level.
switch (atomtype) {
@@ -985,7 +985,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) {
break; // Offset is way past buffer size.
atomsize = Read32(buffer + offset + 12);
}
- if (atomsize <= 0)
+ if (atomsize == 0 || atomsize > static_cast<size_t>(buffer_size))
break; // Indicates the last atom or length too big.
offset += atomsize;
}
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698