diff options
| author | Erik Språng <sprang@webrtc.org> | 2018-01-22 15:18:12 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2018-02-09 13:52:48 +0000 |
| commit | 845a26214d51401a8c7ef767348336eb19c662ef (patch) | |
| tree | fb2dfaceae1c040cac948b869d69cf21927bcf7a /common_video | |
| parent | 32e930fffae5be6d1e645705986ce98c06736bea (diff) | |
| download | webrtc-845a26214d51401a8c7ef767348336eb19c662ef.tar.gz | |
Prevent potential integer overflow in sps parser
Bug: webrtc:8275, chromium:800698
Change-Id: I4dcba8ba480cd2a1b97dc09e97f585f2b3cf3279
Reviewed-on: https://webrtc-review.googlesource.com/40443
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Reviewed-by: Magnus Jedvert <magjed@webrtc.org>
Commit-Queue: Erik Språng <sprang@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21971}
Diffstat (limited to 'common_video')
| -rw-r--r-- | common_video/h264/sps_parser.cc | 7 | ||||
| -rw-r--r-- | common_video/h264/sps_parser_unittest.cc | 2 |
2 files changed, 8 insertions, 1 deletions
diff --git a/common_video/h264/sps_parser.cc b/common_video/h264/sps_parser.cc index 2be6da2274..c921972ce0 100644 --- a/common_video/h264/sps_parser.cc +++ b/common_video/h264/sps_parser.cc @@ -17,6 +17,7 @@ #include "rtc_base/bitbuffer.h" #include "rtc_base/logging.h" +namespace { typedef rtc::Optional<webrtc::SpsParser::SpsState> OptionalSps; #define RETURN_EMPTY_ON_FAIL(x) \ @@ -24,6 +25,10 @@ typedef rtc::Optional<webrtc::SpsParser::SpsState> OptionalSps; return OptionalSps(); \ } +constexpr int kScalingDeltaMin = -128; +constexpr int kScaldingDeltaMax = 127; +} // namespace + namespace webrtc { SpsParser::SpsState::SpsState() = default; @@ -115,6 +120,8 @@ rtc::Optional<SpsParser::SpsState> SpsParser::ParseSpsUpToVui( // delta_scale: se(v) RETURN_EMPTY_ON_FAIL( buffer->ReadSignedExponentialGolomb(&delta_scale)); + RETURN_EMPTY_ON_FAIL(delta_scale >= kScalingDeltaMin && + delta_scale <= kScaldingDeltaMax); next_scale = (last_scale + delta_scale + 256) % 256; } if (next_scale != 0) diff --git a/common_video/h264/sps_parser_unittest.cc b/common_video/h264/sps_parser_unittest.cc index 39e6f2e362..6856c1bbf2 100644 --- a/common_video/h264/sps_parser_unittest.cc +++ b/common_video/h264/sps_parser_unittest.cc @@ -172,7 +172,7 @@ TEST_F(H264SpsParserTest, TestSyntheticSPSWeirdResolution) { } TEST_F(H264SpsParserTest, TestSampleSPSWithScalingLists) { - // SPS from a 1920x1080 video. Contains scaling lists (and veritcal cropping). + // SPS from a 1920x1080 video. Contains scaling lists (and vertical cropping). const uint8_t buffer[] = {0x64, 0x00, 0x2a, 0xad, 0x84, 0x01, 0x0c, 0x20, 0x08, 0x61, 0x00, 0x43, 0x08, 0x02, 0x18, 0x40, 0x10, 0xc2, 0x00, 0x84, 0x3b, 0x50, 0x3c, 0x01, |