mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-10 03:45:46 +00:00
Bug 916836 - Handle jumps off the end of the buffer in MP3FrameParser. r=padenot
This commit is contained in:
parent
ec8a827b6e
commit
cae0d13cb8
@ -416,12 +416,23 @@ void MP3FrameParser::Parse(const char* aBuffer, uint32_t aLength, int64_t aOffse
|
||||
return;
|
||||
}
|
||||
MOZ_ASSERT(bytesRead >= mBufferLength, "Parse should leave original buffer");
|
||||
|
||||
// Adjust the incoming buffer pointer/length so that it reflects that we may have
|
||||
// consumed data from buffer.
|
||||
uint32_t adjust = bytesRead - mBufferLength;
|
||||
aOffset += adjust;
|
||||
aLength -= adjust;
|
||||
mBufferLength = 0;
|
||||
if (adjust >= aLength) {
|
||||
// The frame or tag found in the buffer finishes outside the range.
|
||||
// Just set the offset to the end of that tag/frame, and return.
|
||||
mOffset = streamOffset + bytesRead;
|
||||
if (mOffset > mLength) {
|
||||
mLength = mOffset;
|
||||
}
|
||||
return;
|
||||
}
|
||||
aOffset += adjust;
|
||||
MOZ_ASSERT(aLength >= adjust);
|
||||
aLength -= adjust;
|
||||
}
|
||||
|
||||
uint32_t bytesRead = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user