mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-23 12:51:06 +00:00
Bug 1384243 - Sanitize offset inputs in MediaResourceIndex - r=cpearce
Also check that the offset doesn't overflow during reads. MozReview-Commit-ID: DT5neeZuMZu --HG-- extra : rebase_source : 1f0de82916ebf770a0ea2570161d607216232dfa
This commit is contained in:
parent
41c3003cf6
commit
63070aab2f
@ -1569,6 +1569,10 @@ MediaResourceIndex::Read(char* aBuffer, uint32_t aCount, uint32_t* aBytes)
|
||||
return rv;
|
||||
}
|
||||
mOffset += *aBytes;
|
||||
if (mOffset < 0) {
|
||||
// Very unlikely overflow; just return to position 0.
|
||||
mOffset = 0;
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
@ -1597,6 +1601,10 @@ MediaResourceIndex::ReadAt(int64_t aOffset,
|
||||
}
|
||||
|
||||
const int64_t endOffset = aOffset + aCount;
|
||||
if (aOffset < 0 || endOffset < aOffset) {
|
||||
return NS_ERROR_ILLEGAL_VALUE;
|
||||
}
|
||||
|
||||
const int64_t lastBlockOffset = CacheOffsetContaining(endOffset - 1);
|
||||
|
||||
if (mCachedBytes != 0 && mCachedOffset + mCachedBytes >= aOffset &&
|
||||
@ -1909,6 +1917,9 @@ MediaResourceIndex::UncachedReadAt(int64_t aOffset,
|
||||
uint32_t* aBytes) const
|
||||
{
|
||||
*aBytes = 0;
|
||||
if (aOffset < 0) {
|
||||
return NS_ERROR_ILLEGAL_VALUE;
|
||||
}
|
||||
if (aCount != 0) {
|
||||
for (;;) {
|
||||
uint32_t bytesRead = 0;
|
||||
@ -1925,6 +1936,10 @@ MediaResourceIndex::UncachedReadAt(int64_t aOffset,
|
||||
break;
|
||||
}
|
||||
aOffset += bytesRead;
|
||||
if (aOffset < 0) {
|
||||
// Very unlikely overflow.
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
aBuffer += bytesRead;
|
||||
}
|
||||
}
|
||||
@ -1940,6 +1955,9 @@ MediaResourceIndex::UncachedRangedReadAt(int64_t aOffset,
|
||||
{
|
||||
*aBytes = 0;
|
||||
uint32_t count = aRequestedCount + aExtraCount;
|
||||
if (aOffset < 0 || count < aRequestedCount) {
|
||||
return NS_ERROR_ILLEGAL_VALUE;
|
||||
}
|
||||
if (count != 0) {
|
||||
for (;;) {
|
||||
uint32_t bytesRead = 0;
|
||||
@ -1957,6 +1975,10 @@ MediaResourceIndex::UncachedRangedReadAt(int64_t aOffset,
|
||||
break;
|
||||
}
|
||||
aOffset += bytesRead;
|
||||
if (aOffset < 0) {
|
||||
// Very unlikely overflow.
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
aBuffer += bytesRead;
|
||||
}
|
||||
}
|
||||
@ -1985,6 +2007,9 @@ MediaResourceIndex::Seek(int32_t aWhence, int64_t aOffset)
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
if (aOffset < 0) {
|
||||
return NS_ERROR_ILLEGAL_VALUE;
|
||||
}
|
||||
mOffset = aOffset;
|
||||
|
||||
return NS_OK;
|
||||
|
@ -760,6 +760,9 @@ public:
|
||||
already_AddRefed<MediaByteBuffer> MediaReadAt(int64_t aOffset, uint32_t aCount) const
|
||||
{
|
||||
RefPtr<MediaByteBuffer> bytes = new MediaByteBuffer();
|
||||
if (aOffset < 0) {
|
||||
return bytes.forget();
|
||||
}
|
||||
bool ok = bytes->SetLength(aCount, fallible);
|
||||
NS_ENSURE_TRUE(ok, nullptr);
|
||||
char* curr = reinterpret_cast<char*>(bytes->Elements());
|
||||
@ -772,6 +775,10 @@ public:
|
||||
break;
|
||||
}
|
||||
aOffset += bytesRead;
|
||||
if (aOffset < 0) {
|
||||
// Very unlikely overflow.
|
||||
break;
|
||||
}
|
||||
aCount -= bytesRead;
|
||||
curr += bytesRead;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user