From ca1a356780f430f1ae9082967137ef0c1b9866f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Br=C3=BCning?= Date: Mon, 1 Apr 2019 16:15:19 +0200 Subject: [Backport] Security bug 917608 Backport of original patch by John Rummell : Fix buffer size comparisons for VP8 parser With fuzzed data the frame_size field can be huge, which causes the address range checks to fail. BUG=917608 Change-Id: I5fcaeac4681ed24924034dd2230e45d0e72f756b Reviewed-by: Michal Klocek Reviewed-by: Allan Sandfeld Jensen --- chromium/media/filters/ivf_parser.cc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/chromium/media/filters/ivf_parser.cc b/chromium/media/filters/ivf_parser.cc index b6160fb533b..8361088b040 100644 --- a/chromium/media/filters/ivf_parser.cc +++ b/chromium/media/filters/ivf_parser.cc @@ -2,9 +2,11 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include "media/filters/ivf_parser.h" + #include "base/logging.h" +#include "base/numerics/safe_conversions.h" #include "base/sys_byteorder.h" -#include "media/filters/ivf_parser.h" namespace media { @@ -34,6 +36,7 @@ bool IvfParser::Initialize(const uint8_t* stream, DCHECK(file_header); ptr_ = stream; end_ = stream + size; + CHECK_GE(end_, ptr_); if (size < sizeof(IvfFileHeader)) { DLOG(ERROR) << "EOF before file header"; @@ -65,8 +68,9 @@ bool IvfParser::ParseNextFrame(IvfFrameHeader* frame_header, const uint8_t** payload) { DCHECK(ptr_); DCHECK(payload); + CHECK_GE(end_, ptr_); - if (end_ < ptr_ + sizeof(IvfFrameHeader)) { + if (base::checked_cast(end_ - ptr_) < sizeof(IvfFrameHeader)) { DLOG_IF(ERROR, ptr_ != end_) << "Incomplete frame header"; return false; } @@ -75,7 +79,7 @@ bool IvfParser::ParseNextFrame(IvfFrameHeader* frame_header, frame_header->ByteSwap(); ptr_ += sizeof(IvfFrameHeader); - if (end_ < ptr_ + frame_header->frame_size) { + if (base::checked_cast(end_ - ptr_) < frame_header->frame_size) { DLOG(ERROR) << "Not enough frame data"; return false; } -- cgit v1.2.1