From c3330e6c8a3eabc4c7c05b8780a06a391ccf1602 Mon Sep 17 00:00:00 2001 From: trav90 Date: Thu, 4 May 2017 02:34:33 -0500 Subject: [PATCH] Ensure we don't attempt to process garbage data --- dom/media/mediasource/TrackBuffersManager.cpp | 13 +++++++++++-- dom/media/mediasource/TrackBuffersManager.h | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/dom/media/mediasource/TrackBuffersManager.cpp b/dom/media/mediasource/TrackBuffersManager.cpp index 5fea90e3c2..26778684d6 100644 --- a/dom/media/mediasource/TrackBuffersManager.cpp +++ b/dom/media/mediasource/TrackBuffersManager.cpp @@ -692,13 +692,22 @@ void TrackBuffersManager::InitializationSegmentReceived() { MOZ_ASSERT(mParser->HasCompleteInitData()); + + int64_t endInit = mParser->InitSegmentRange().mEnd; + if (mInputBuffer->Length() > mProcessedInput || + int64_t(mProcessedInput - mInputBuffer->Length()) > endInit) { + // Something is not quite right with the data appended. Refuse it. + RejectAppend(NS_ERROR_FAILURE, __func__); + return; + } + mCurrentInputBuffer = new SourceBufferResource(mType); mCurrentInputBuffer->AppendData(mParser->InitData()); - uint32_t length = - mParser->InitSegmentRange().mEnd - (mProcessedInput - mInputBuffer->Length()); + uint32_t length = endInit - (mProcessedInput - mInputBuffer->Length()); if (mInputBuffer->Length() == length) { mInputBuffer = nullptr; } else { + MOZ_RELEASE_ASSERT(length <= mInputBuffer->Length()); mInputBuffer->RemoveElementsAt(0, length); } CreateDemuxerforMIMEType(); diff --git a/dom/media/mediasource/TrackBuffersManager.h b/dom/media/mediasource/TrackBuffersManager.h index 0bb7a6ec34..1b1c56938e 100644 --- a/dom/media/mediasource/TrackBuffersManager.h +++ b/dom/media/mediasource/TrackBuffersManager.h @@ -145,7 +145,7 @@ private: nsRefPtr mCurrentInputBuffer; nsRefPtr mInputDemuxer; // Length already processed in current media segment. - uint32_t mProcessedInput; + uint64_t mProcessedInput; void OnDemuxerInitDone(nsresult); void OnDemuxerInitFailed(DemuxerFailureReason aFailure);