ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2025-01-04 02:19:18 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
guix/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
Mark H Weaver 3faf214a0b gnu: icecat: Add fixes for several security flaws. 
* gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-7205.patch,
  gnu/packages/patches/icecat-CVE-2015-7210.patch,
  gnu/packages/patches/icecat-CVE-2015-7212.patch,
  gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7214.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
2015-12-17 14:12:06 -05:00

32 lines
1.2 KiB
Diff
Raw Blame History

From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jyavenard@mozilla.com>
Date: Wed, 9 Dec 2015 09:54:58 +0100
Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
r=kentuckyfriedtakahe, a=sylvestre
---
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index 22163fa..318152a 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
CHECK_NE(err, (status_t)NO_INIT);
// copy pssh data into file metadata
- int psshsize = 0;
+ uint64_t psshsize = 0;
for (size_t i = 0; i < mPssh.size(); i++) {
psshsize += 20 + mPssh[i].datalen;
}
+ if (psshsize > kMAX_ALLOCATION) {
+ return ERROR_MALFORMED;
+ }
if (psshsize) {
char *buf = (char*)malloc(psshsize);
char *ptr = buf;
--
2.6.3
Reference in a new issue View git blame Copy permalink