Closed Bug 1298259 Opened 8 years ago Closed 8 years ago

Stagefright's Saio() expects the wrong number of bytes

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: mozbugz, Assigned: mozbugz)

References

Details

Attachments

(1 file)

Bug 1298259 - better saio check -
58 bytes, text/x-review-board-request
jya
: review+
Details
Spawned from bug 1296532 comment 14. in MoofParser.cpp: > size_t count = reader->ReadU32(); > need = (version ? sizeof(uint64_t) : sizeof(uint32_t)) * count; > if (reader->Remaining() < count) { > LOG(Saio, "Incomplete Box (have:%lld need:%lld)", > (uint64_t)reader->Remaining(), (uint64_t)need); > return; > } In the test on the 3rd line, 'reader->Remaining()' is in bytes, but 'count' is a number of numbers; 'need' (equivalent in bytes) should be used instead. So the current test could accept video files that are actually missing some saio data. (The reader will just crash in debug mode, or return 0 in release mode, so there is no security risk here.)
Comment on attachment 8785131 [details] Bug 1298259 - better saio check - https://reviewboard.mozilla.org/r/74438/#review72350
Attachment #8785131 - Flags: review?(jyavenard) → review+
https://hg.mozilla.org/mozilla-central/rev/50b447aa8c19
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: