mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-27 23:02:16 -05:00
0ca1eb705d
* gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch, gnu/packages/patches/icecat-CVE-2015-7188.patch, gnu/packages/patches/icecat-CVE-2015-7189.patch, gnu/packages/patches/icecat-CVE-2015-7193.patch, gnu/packages/patches/icecat-CVE-2015-7194.patch, gnu/packages/patches/icecat-CVE-2015-7196.patch, gnu/packages/patches/icecat-CVE-2015-7197.patch, gnu/packages/patches/icecat-CVE-2015-7198.patch, gnu/packages/patches/icecat-CVE-2015-7199.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
65 lines
2.3 KiB
Diff
65 lines
2.3 KiB
Diff
From ef6298177a8390c01f5084ba89a808015a0b9473 Mon Sep 17 00:00:00 2001
|
|
From: Gerald Squelart <gsquelart@mozilla.com>
|
|
Date: Thu, 22 Oct 2015 10:00:12 +0200
|
|
Subject: [PATCH] Bug 1204580 - Check box ranges for overflow - r=rillian, a=al
|
|
|
|
---
|
|
media/libstagefright/binding/Box.cpp | 21 +++++++++++++++++++--
|
|
1 file changed, 19 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/media/libstagefright/binding/Box.cpp b/media/libstagefright/binding/Box.cpp
|
|
index 71c79ed..2558be0 100644
|
|
--- a/media/libstagefright/binding/Box.cpp
|
|
+++ b/media/libstagefright/binding/Box.cpp
|
|
@@ -40,6 +40,11 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
|
|
: mContext(aContext), mParent(aParent)
|
|
{
|
|
uint8_t header[8];
|
|
+
|
|
+ if (aOffset > INT64_MAX - sizeof(header)) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
MediaByteRange headerRange(aOffset, aOffset + sizeof(header));
|
|
if (mParent && !mParent->mRange.Contains(headerRange)) {
|
|
return;
|
|
@@ -67,11 +72,14 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
|
|
uint64_t size = BigEndian::readUint32(header);
|
|
if (size == 1) {
|
|
uint8_t bigLength[8];
|
|
+ if (aOffset > INT64_MAX - sizeof(header) - sizeof(bigLength)) {
|
|
+ return;
|
|
+ }
|
|
MediaByteRange bigLengthRange(headerRange.mEnd,
|
|
headerRange.mEnd + sizeof(bigLength));
|
|
if ((mParent && !mParent->mRange.Contains(bigLengthRange)) ||
|
|
!byteRange->Contains(bigLengthRange) ||
|
|
- !mContext->mSource->CachedReadAt(aOffset, bigLength,
|
|
+ !mContext->mSource->CachedReadAt(aOffset + sizeof(header), bigLength,
|
|
sizeof(bigLength), &bytes) ||
|
|
bytes != sizeof(bigLength)) {
|
|
return;
|
|
@@ -82,10 +90,19 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent)
|
|
mBodyOffset = headerRange.mEnd;
|
|
}
|
|
|
|
+ if (size > INT64_MAX) {
|
|
+ return;
|
|
+ }
|
|
+ int64_t end = static_cast<int64_t>(aOffset) + static_cast<int64_t>(size);
|
|
+ if (end < static_cast<int64_t>(aOffset)) {
|
|
+ // Overflowed.
|
|
+ return;
|
|
+ }
|
|
+
|
|
mType = BigEndian::readUint32(&header[4]);
|
|
mChildOffset = mBodyOffset + BoxOffset(mType);
|
|
|
|
- MediaByteRange boxRange(aOffset, aOffset + size);
|
|
+ MediaByteRange boxRange(aOffset, end);
|
|
if (mChildOffset > boxRange.mEnd ||
|
|
(mParent && !mParent->mRange.Contains(boxRange)) ||
|
|
!byteRange->Contains(boxRange)) {
|
|
--
|
|
2.5.0
|
|
|