Bug 1384243 - Sanitize offset inputs in MediaResourceIndex - r=cpearce

Also check that the offset doesn't overflow during reads.

MozReview-Commit-ID: DT5neeZuMZu

--HG--
extra : rebase_source : 1f0de82916ebf770a0ea2570161d607216232dfa
This commit is contained in:
Gerald Squelart 2017-08-01 14:07:55 +12:00
parent 41c3003cf6
commit 63070aab2f
2 changed files with 32 additions and 0 deletions

View File

@ -1569,6 +1569,10 @@ MediaResourceIndex::Read(char* aBuffer, uint32_t aCount, uint32_t* aBytes)
return rv;
}
mOffset += *aBytes;
if (mOffset < 0) {
// Very unlikely overflow; just return to position 0.
mOffset = 0;
}
return NS_OK;
}
@ -1597,6 +1601,10 @@ MediaResourceIndex::ReadAt(int64_t aOffset,
}
const int64_t endOffset = aOffset + aCount;
if (aOffset < 0 || endOffset < aOffset) {
return NS_ERROR_ILLEGAL_VALUE;
}
const int64_t lastBlockOffset = CacheOffsetContaining(endOffset - 1);
if (mCachedBytes != 0 && mCachedOffset + mCachedBytes >= aOffset &&
@ -1909,6 +1917,9 @@ MediaResourceIndex::UncachedReadAt(int64_t aOffset,
uint32_t* aBytes) const
{
*aBytes = 0;
if (aOffset < 0) {
return NS_ERROR_ILLEGAL_VALUE;
}
if (aCount != 0) {
for (;;) {
uint32_t bytesRead = 0;
@ -1925,6 +1936,10 @@ MediaResourceIndex::UncachedReadAt(int64_t aOffset,
break;
}
aOffset += bytesRead;
if (aOffset < 0) {
// Very unlikely overflow.
return NS_ERROR_FAILURE;
}
aBuffer += bytesRead;
}
}
@ -1940,6 +1955,9 @@ MediaResourceIndex::UncachedRangedReadAt(int64_t aOffset,
{
*aBytes = 0;
uint32_t count = aRequestedCount + aExtraCount;
if (aOffset < 0 || count < aRequestedCount) {
return NS_ERROR_ILLEGAL_VALUE;
}
if (count != 0) {
for (;;) {
uint32_t bytesRead = 0;
@ -1957,6 +1975,10 @@ MediaResourceIndex::UncachedRangedReadAt(int64_t aOffset,
break;
}
aOffset += bytesRead;
if (aOffset < 0) {
// Very unlikely overflow.
return NS_ERROR_FAILURE;
}
aBuffer += bytesRead;
}
}
@ -1985,6 +2007,9 @@ MediaResourceIndex::Seek(int32_t aWhence, int64_t aOffset)
return NS_ERROR_FAILURE;
}
if (aOffset < 0) {
return NS_ERROR_ILLEGAL_VALUE;
}
mOffset = aOffset;
return NS_OK;

View File

@ -760,6 +760,9 @@ public:
already_AddRefed<MediaByteBuffer> MediaReadAt(int64_t aOffset, uint32_t aCount) const
{
RefPtr<MediaByteBuffer> bytes = new MediaByteBuffer();
if (aOffset < 0) {
return bytes.forget();
}
bool ok = bytes->SetLength(aCount, fallible);
NS_ENSURE_TRUE(ok, nullptr);
char* curr = reinterpret_cast<char*>(bytes->Elements());
@ -772,6 +775,10 @@ public:
break;
}
aOffset += bytesRead;
if (aOffset < 0) {
// Very unlikely overflow.
break;
}
aCount -= bytesRead;
curr += bytesRead;
}