mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-19 09:22:05 -05:00
3faf214a0b
* gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch, gnu/packages/patches/icecat-CVE-2015-7205.patch, gnu/packages/patches/icecat-CVE-2015-7210.patch, gnu/packages/patches/icecat-CVE-2015-7212.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7214.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001
|
|
From: Gerald Squelart <gsquelart@mozilla.com>
|
|
Date: Wed, 9 Dec 2015 10:00:32 +0100
|
|
Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
|
|
r=rillian, a=sylvestre
|
|
|
|
Found only one other use that needed better checks: the size of the pssh
|
|
data was only checked after all items were added up; so it would be
|
|
possible to create a set of big items such that they create an overflow,
|
|
but the final sum looks reasonable.
|
|
Instead each item size should be checked, and the sum should also be
|
|
checked at each step.
|
|
---
|
|
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
|
|
index a69fc14..413a495 100644
|
|
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
|
|
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
|
|
@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() {
|
|
uint64_t psshsize = 0;
|
|
for (size_t i = 0; i < mPssh.size(); i++) {
|
|
psshsize += 20 + mPssh[i].datalen;
|
|
- }
|
|
- if (psshsize > kMAX_ALLOCATION) {
|
|
- return ERROR_MALFORMED;
|
|
+ if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
|
|
+ psshsize > kMAX_ALLOCATION) {
|
|
+ return ERROR_MALFORMED;
|
|
+ }
|
|
}
|
|
if (psshsize) {
|
|
char *buf = (char*)malloc(psshsize);
|
|
--
|
|
2.6.3
|
|
|