Bug 1080986 - Check list chunk is large enough to read list ID before reading. r=giles

This commit is contained in:
Matthew Gregan 2014-10-15 13:56:09 +13:00
parent 98ea336f02
commit 42dc89c2ca
4 changed files with 6 additions and 2 deletions

View File

@ -0,0 +1,3 @@
<html>
<audio autoplay src="1080986.wav"></audio>
</html>

Binary file not shown.

View File

@ -74,6 +74,7 @@ HTTP load media-element-source-seek-1.html
load offline-buffer-source-ended-1.html
load oscillator-ended-1.html
load oscillator-ended-2.html
load 1080986.html
include ../../mediasource/test/crashtests/crashtests.list
# This needs to run at the end to avoid leaking busted state into other tests.

View File

@ -551,7 +551,7 @@ WaveReader::LoadListChunk(uint32_t aChunkSize,
static_assert(uint64_t(MAX_CHUNK_SIZE) < UINT_MAX / sizeof(char),
"MAX_CHUNK_SIZE too large for enumerator.");
if (aChunkSize > MAX_CHUNK_SIZE) {
if (aChunkSize > MAX_CHUNK_SIZE || aChunkSize < 4) {
return false;
}
@ -561,7 +561,7 @@ WaveReader::LoadListChunk(uint32_t aChunkSize,
}
static const uint32_t INFO_LIST_MAGIC = 0x494e464f;
const char *p = chunk.get();
const char* p = chunk.get();
if (ReadUint32BE(&p) != INFO_LIST_MAGIC) {
return false;
}