diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-04-01 16:15:19 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:25:53 +0000 |
commit | ca1a356780f430f1ae9082967137ef0c1b9866f7 (patch) | |
tree | 8a9e33588d3a47b030d9bbd4a5b91720fe54acab | |
parent | dda18dccd9174d6b5aa065eea8475fddd0e72395 (diff) | |
download | qtwebengine-chromium-ca1a356780f430f1ae9082967137ef0c1b9866f7.tar.gz |
[Backport] Security bug 917608
Backport of original patch by John Rummell <jrummell@chromium.org>:
Fix buffer size comparisons for VP8 parser
With fuzzed data the frame_size field can be huge, which causes the
address range checks to fail.
BUG=917608
Change-Id: I5fcaeac4681ed24924034dd2230e45d0e72f756b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/media/filters/ivf_parser.cc | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/chromium/media/filters/ivf_parser.cc b/chromium/media/filters/ivf_parser.cc index b6160fb533b..8361088b040 100644 --- a/chromium/media/filters/ivf_parser.cc +++ b/chromium/media/filters/ivf_parser.cc @@ -2,9 +2,11 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include "media/filters/ivf_parser.h" + #include "base/logging.h" +#include "base/numerics/safe_conversions.h" #include "base/sys_byteorder.h" -#include "media/filters/ivf_parser.h" namespace media { @@ -34,6 +36,7 @@ bool IvfParser::Initialize(const uint8_t* stream, DCHECK(file_header); ptr_ = stream; end_ = stream + size; + CHECK_GE(end_, ptr_); if (size < sizeof(IvfFileHeader)) { DLOG(ERROR) << "EOF before file header"; @@ -65,8 +68,9 @@ bool IvfParser::ParseNextFrame(IvfFrameHeader* frame_header, const uint8_t** payload) { DCHECK(ptr_); DCHECK(payload); + CHECK_GE(end_, ptr_); - if (end_ < ptr_ + sizeof(IvfFrameHeader)) { + if (base::checked_cast<size_t>(end_ - ptr_) < sizeof(IvfFrameHeader)) { DLOG_IF(ERROR, ptr_ != end_) << "Incomplete frame header"; return false; } @@ -75,7 +79,7 @@ bool IvfParser::ParseNextFrame(IvfFrameHeader* frame_header, frame_header->ByteSwap(); ptr_ += sizeof(IvfFrameHeader); - if (end_ < ptr_ + frame_header->frame_size) { + if (base::checked_cast<uint32_t>(end_ - ptr_) < frame_header->frame_size) { DLOG(ERROR) << "Not enough frame data"; return false; } |