Merge to M39: Add extra checks to avoid integer overflow.
BUG=425980
TEST=no crash with ASAN
Review URL: https://codereview.chromium.org/659743004
Cr-Commit-Position: refs/heads/master@{#301249}
(cherry picked from commit b2006ac87cec58363090e7d5e10d5d9e3bbda9f9)
R=xhwang@chromium.org
Review URL: https://codereview.chromium.org/695673002
Cr-Commit-Position: refs/branch-heads/2171@{#312}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}
diff --git a/media/base/container_names.cc b/media/base/container_names.cc
index 0f629f8..7b188b6 100644
--- a/media/base/container_names.cc
+++ b/media/base/container_names.cc
@@ -954,7 +954,7 @@
int offset = 0;
while (offset + 8 < buffer_size) {
- int atomsize = Read32(buffer + offset);
+ uint32 atomsize = Read32(buffer + offset);
uint32 atomtype = Read32(buffer + offset + 4);
// Only need to check for ones that are valid at the top level.
switch (atomtype) {
@@ -985,7 +985,7 @@
break; // Offset is way past buffer size.
atomsize = Read32(buffer + offset + 12);
}
- if (atomsize <= 0)
+ if (atomsize == 0 || atomsize > static_cast<size_t>(buffer_size))
break; // Indicates the last atom or length too big.
offset += atomsize;
}
