Open
Bug 1462194
Opened 7 years ago
Updated 2 years ago
nestegg: unsigned integer overflow in [@ nestegg_read_packet]
Categories
(Core :: Audio/Video: Playback, defect, P3)
Core
Audio/Video: Playback
Tracking
()
NEW
People
(Reporter: tsmith, Assigned: kinetik)
References
Details
(Keywords: testcase)
Attachments
(1 file)
|
525 bytes,
video/webm
|
Details |
nestegg (test) was build unsing the following config command:
CFLAGS="-fsanitize=integer" CC=clang ./configure --enable-static --disable-shared
src/nestegg.c:2834:26: runtime error: unsigned integer overflow: 18033421728100400 * 1000000 cannot be represented in type 'unsigned long'
#0 0x5009ce in nestegg_read_packet nestegg/src/nestegg.c:2834:26
#1 0x4ea703 in main nestegg/test/test.c:166:9
#2 0x7fd49045182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x418928 in _start (test+0x418928)
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → kinetik
|
|
Assignee | |
Comment 1•7 years ago
|
||
The result of this is only ever used to compute the next frame's timestamp, so I believe the worst case is incorrect frame presentation times or treating the media as invalid and aborting playback. I'll clear s-s on this as I don't believe there are security implications here.
In terms of a fix, the Matroska spec doesn't seem to define how to handle invalid timestamps. We could treat the media as invalid (my preferred approach), but we've moved to make Firefox's media playback more accepting of invalid media over time, so alternatively we could check for potential overflow and clamp the timestamp to the max valid value.
Group: media-core-security
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•