Closed Bug 1298259 Opened 4 years ago Closed 4 years ago

Stagefright's Saio() expects the wrong number of bytes

Categories

(Core :: Audio/Video: Playback, defect)

50 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: gerald, Assigned: gerald)

References

Details

Attachments

(1 file)

Spawned from bug 1296532 comment 14.

in MoofParser.cpp:
>  size_t count = reader->ReadU32();
>  need = (version ? sizeof(uint64_t) : sizeof(uint32_t)) * count;
>  if (reader->Remaining() < count) {
>    LOG(Saio, "Incomplete Box (have:%lld need:%lld)",
>        (uint64_t)reader->Remaining(), (uint64_t)need);
>    return;
>  }
In the test on the 3rd line, 'reader->Remaining()' is in bytes, but 'count' is a number of numbers; 'need' (equivalent in bytes) should be used instead.

So the current test could accept video files that are actually missing some saio data. (The reader will just crash in debug mode, or return 0 in release mode, so there is no security risk here.)
Comment on attachment 8785131 [details]
Bug 1298259 - better saio check -

https://reviewboard.mozilla.org/r/74438/#review72350
Attachment #8785131 - Flags: review?(jyavenard) → review+
https://hg.mozilla.org/mozilla-central/rev/50b447aa8c19
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.