diff options
author | John Rummell <jrummell@chromium.org> | 2020-03-18 19:16:38 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-24 13:51:04 +0000 |
commit | 9222c8b73abc70de3f15a6b77789be731cca39c0 (patch) | |
tree | f167641d449d34f0cd95aa28dde0b784937557b7 | |
parent | d61a4348c475ab6867334ef3ab4b5709cae15bb2 (diff) | |
download | qtwebengine-chromium-9222c8b73abc70de3f15a6b77789be731cca39c0.tar.gz |
[Backport] Security bug 1054229
Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/2108824:
Check that ogg stream contains enough data while checking codec
If the buffer doesn't contain enough bytes when replacing a stream,
fail rather than continuing on with unitialized data.
Bug: 1054229
Test: Failing fuzzer test passes locally
Change-Id: Ieee9484159a9a3715dca62ffaff3a9c6817694d3
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/ffmpeg/libavformat/oggdec.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/chromium/third_party/ffmpeg/libavformat/oggdec.c b/chromium/third_party/ffmpeg/libavformat/oggdec.c index 59f3bad76c4..5e53ebf8a56 100644 --- a/chromium/third_party/ffmpeg/libavformat/oggdec.c +++ b/chromium/third_party/ffmpeg/libavformat/oggdec.c @@ -222,7 +222,12 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs) uint8_t magic[8]; int64_t pos = avio_tell(s->pb); avio_skip(s->pb, nsegs); +#if 0 // Chromium: Check size. http://crbug.com/1054229 avio_read(s->pb, magic, sizeof(magic)); +#else + if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic)) + return AVERROR_INVALIDDATA; +#endif avio_seek(s->pb, pos, SEEK_SET); codec = ogg_find_codec(magic, sizeof(magic)); if (!codec) { |