mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-18 07:45:30 +00:00
Bug 1154683: Fix potential size overflow. r=kentuckyfriedtakahe
This commit is contained in:
parent
0394e1102c
commit
0e46a78213
@ -1843,6 +1843,10 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
|
||||
size = 0;
|
||||
}
|
||||
|
||||
// Make sure (size + chunk_size) isn't going to overflow.
|
||||
if (size > (size_t)-1 - chunk_size) {
|
||||
return ERROR_MALFORMED;
|
||||
}
|
||||
uint8_t *buffer = new uint8_t[size + chunk_size];
|
||||
|
||||
if (size > 0) {
|
||||
@ -2689,6 +2693,11 @@ status_t MPEG4Source::parseChunk(off64_t *offset) {
|
||||
return ERROR_MALFORMED;
|
||||
}
|
||||
|
||||
if (chunk_size >= INT32_MAX - 128) {
|
||||
// Could cause an overflow later. Abort.
|
||||
return ERROR_MALFORMED;
|
||||
}
|
||||
|
||||
char chunk[5];
|
||||
MakeFourCCString(chunk_type, chunk);
|
||||
ALOGV("MPEG4Source chunk %s @ %llx", chunk, *offset);
|
||||
|
Loading…
Reference in New Issue
Block a user