diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-02-20 17:19:54 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@theqtcompany.com> | 2015-02-24 12:22:27 +0000 |
commit | f11cfbcb5d7fd5ad4e32deae77fac6d17f87a4b7 (patch) | |
tree | 81d8f2577f7f91962bca180ad387bbeb716ea41c | |
parent | c1fbe1875c0f31faaac604cd861766a7c14e3cdf (diff) | |
download | qtwebkit-f11cfbcb5d7fd5ad4e32deae77fac6d17f87a4b7.tar.gz |
Fix crash on html5video.org by detecting inconsistent frame data
GStreamer is on this particular video sending us invalid dimensions that
would leave us to operate on invalid addresses. We ignore that frame and
print a warning to the log so the user might know their gstreamer plugin
is dangerously broken.
Task-number: QTBUG-44245
Change-Id: I476ec9822ff2f8210161a8642e16bbafb6786357
Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
-rw-r--r-- | Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp | 4 | ||||
-rw-r--r-- | Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp b/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp index ece3c3f27..58db02696 100644 --- a/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp +++ b/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp @@ -45,6 +45,10 @@ ImageGStreamer::ImageGStreamer(GstBuffer* buffer, GstCaps* caps) #ifdef GST_API_VERSION_1 gst_buffer_map(buffer, &m_mapInfo, GST_MAP_READ); uchar* bufferData = reinterpret_cast<uchar*>(m_mapInfo.data); + if (size.width() * size.height() * 4 > m_mapInfo.maxsize) { + qWarning("Ignoring dangerously invalid frame emitted by GStreamer."); + return; + } #else uchar* bufferData = reinterpret_cast<uchar*>(GST_BUFFER_DATA(buffer)); #endif diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp index 83c896c39..6235ae9be 100644 --- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp +++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp @@ -440,7 +440,7 @@ void MediaPlayerPrivateGStreamerBase::paint(GraphicsContext* context, const IntR } RefPtr<ImageGStreamer> gstImage = ImageGStreamer::createImage(m_buffer, caps.get()); - if (!gstImage) { + if (!gstImage || !gstImage->image().get()) { g_mutex_unlock(m_bufferMutex); return; } |