[Backport] Security bug 917608

Backport of original patch by John Rummell <jrummell@chromium.org>:
Fix buffer size comparisons for VP8 parser

With fuzzed data the frame_size field can be huge, which causes the
address range checks to fail.

BUG=917608

Change-Id: I5fcaeac4681ed24924034dd2230e45d0e72f756b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 7 insertions, 3 deletions

diff --git a/chromium/media/filters/ivf_parser.cc b/chromium/media/filters/ivf_parser.cc
index b6160fb533b..8361088b040 100644
--- a/chromium/media/filters/ivf_parser.cc
+++ b/chromium/media/filters/ivf_parser.cc
@@ -2,9 +2,11 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "media/filters/ivf_parser.h"
+
 #include "base/logging.h"
+#include "base/numerics/safe_conversions.h"
 #include "base/sys_byteorder.h"
-#include "media/filters/ivf_parser.h"
 
 namespace media {
 
@@ -34,6 +36,7 @@ bool IvfParser::Initialize(const uint8_t* stream,
   DCHECK(file_header);
   ptr_ = stream;
   end_ = stream + size;
+  CHECK_GE(end_, ptr_);
 
   if (size < sizeof(IvfFileHeader)) {
     DLOG(ERROR) << "EOF before file header";
@@ -65,8 +68,9 @@ bool IvfParser::ParseNextFrame(IvfFrameHeader* frame_header,
                                const uint8_t** payload) {
   DCHECK(ptr_);
   DCHECK(payload);
+  CHECK_GE(end_, ptr_);
 
-  if (end_ < ptr_ + sizeof(IvfFrameHeader)) {
+  if (base::checked_cast<size_t>(end_ - ptr_) < sizeof(IvfFrameHeader)) {
     DLOG_IF(ERROR, ptr_ != end_) << "Incomplete frame header";
     return false;
   }
@@ -75,7 +79,7 @@ bool IvfParser::ParseNextFrame(IvfFrameHeader* frame_header,
   frame_header->ByteSwap();
   ptr_ += sizeof(IvfFrameHeader);
 
-  if (end_ < ptr_ + frame_header->frame_size) {
+  if (base::checked_cast<uint32_t>(end_ - ptr_) < frame_header->frame_size) {
     DLOG(ERROR) << "Not enough frame data";
     return false;
   }