Closed Bug 1123507 Opened 5 years ago Closed 5 years ago

Out of bound memory access in MoofReader

Categories

(Core :: Audio/Video, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox36 --- fixed
firefox37 --- fixed
firefox38 --- fixed

People

(Reporter: jya, Assigned: jya)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

As title states...

Box constructor will read and copy 16 bytes into a buffer 8 bytes long
Depends on: 1116056
read/write proper amount of data
Attachment #8551543 - Flags: review?(edwin)
Assignee: nobody → jyavenard
Status: NEW → ASSIGNED
Blocks: 1118597
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/c9d2b07a108d
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/1a1a66376625

Ralph, I think this should urgently be uplifted
Flags: needinfo?(giles)
Comment on attachment 8551543 [details] [diff] [review]
Prevent out of bound memory access

I agree, this is an important one.

Approval Request Comment
[Feature/regressing bug #]: MSE
[User impact if declined]: Crashes and memory corruption from malformed videos.
[Describe test coverage new/current, TBPL]: presuming green on inbound.
[Risks and why]: Low; change is straightforward and small.
[String/UUID change made/needed]: None.
Flags: needinfo?(giles)
Attachment #8551543 - Flags: approval-mozilla-beta?
Attachment #8551543 - Flags: approval-mozilla-aurora?
Comment on attachment 8551543 [details] [diff] [review]
Prevent out of bound memory access

Taking it even if it didn't land in m-c to be sure it is in beta 2!
Attachment #8551543 - Flags: approval-mozilla-beta?
Attachment #8551543 - Flags: approval-mozilla-beta+
Attachment #8551543 - Flags: approval-mozilla-aurora?
Attachment #8551543 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/1a1a66376625
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You would need to craft a fragmented MP4 using 64 bits index size.
Not sure how you could test it as such. Especially as the behaviour would depends on the OS/Compiler
Flags: needinfo?(jyavenard)
You need to log in before you can comment on or make changes to this bug.