Bug 1073350: Validate that returned decoded Shmems have enough data r=cpearce

2014-10-01 20:39:08 -04:00 · 2014-10-01 20:39:08 -04:00 · 2ff2b045e3
--- a/content/media/gmp/GMPVideoDecoderParent.cpp
+++ b/content/media/gmp/GMPVideoDecoderParent.cpp
@ -228,6 +228,10 @@ GMPVideoDecoderParent::RecvDecoded(const GMPVideoi420FrameData& aDecodedFrame)
    return false;
  }

+  if (!CheckFrameData(aDecodedFrame)) {
+    LOGE(("%s: Decoded frame corrupt, ignoring", __FUNCTION__));
+    return false;
+  }
  auto f = new GMPVideoi420FrameImpl(aDecodedFrame, &mVideoHost);

  // Ignore any return code. It is OK for this to fail without killing the process.
--- a/content/media/gmp/GMPVideoi420FrameImpl.cpp
+++ b/content/media/gmp/GMPVideoi420FrameImpl.cpp
@ -63,6 +63,31 @@ GMPVideoi420FrameImpl::Destroy()
  delete this;
 }

+/* static */ bool
+CheckFrameData(const GMPVideoi420FrameData& aFrameData)
+{
+  // We may be passed the "wrong" shmem (one smaller than the actual size).
+  // This implies a bug or serious error on the child size.  Ignore this frame if so.
+  // Note: Size() greater than expected is also an error, but with no negative consequences
+  int32_t half_width = (aFrameData.mWidth() + 1) / 2;
+  if ((aFrameData.mYPlane().mStride() <= 0) || (aFrameData.mYPlane().mSize() <= 0) ||
+      (aFrameData.mUPlane().mStride() <= 0) || (aFrameData.mUPlane().mSize() <= 0) ||
+      (aFrameData.mVPlane().mStride() <= 0) || (aFrameData.mVPlane().mSize() <= 0) ||
+      (aFrameData.mYPlane().mSize() > (int32_t) aFrameData.mYPlane().mBuffer().Size<uint8_t>()) ||
+      (aFrameData.mUPlane().mSize() > (int32_t) aFrameData.mUPlane().mBuffer().Size<uint8_t>()) ||
+      (aFrameData.mVPlane().mSize() > (int32_t) aFrameData.mVPlane().mBuffer().Size<uint8_t>()) ||
+      (aFrameData.mYPlane().mStride() < aFrameData.mWidth()) ||
+      (aFrameData.mUPlane().mStride() < half_width) ||
+      (aFrameData.mVPlane().mStride() < half_width) ||
+      (aFrameData.mYPlane().mSize() < aFrameData.mYPlane().mStride() * aFrameData.mHeight()) ||
+      (aFrameData.mUPlane().mSize() < aFrameData.mUPlane().mStride() * ((aFrameData.mHeight()+1)/2)) ||
+      (aFrameData.mVPlane().mSize() < aFrameData.mVPlane().mStride() * ((aFrameData.mHeight()+1)/2)))
+  {
+    return false;
+  }
+  return true;
+}
+
 bool
 GMPVideoi420FrameImpl::CheckDimensions(int32_t aWidth, int32_t aHeight,
                                       int32_t aStride_y, int32_t aStride_u, int32_t aStride_v)
--- a/content/media/gmp/GMPVideoi420FrameImpl.h
+++ b/content/media/gmp/GMPVideoi420FrameImpl.h
@ -16,6 +16,9 @@ namespace gmp {

 class GMPVideoi420FrameData;

+static bool
+CheckFrameData(const GMPVideoi420FrameData& aFrameData);
+
 class GMPVideoi420FrameImpl : public GMPVideoi420Frame
 {
  friend struct IPC::ParamTraits<mozilla::gmp::GMPVideoi420FrameImpl>;