Detect if StoreFrame read more than anmf_payload_size bytes

After ParseAnimationFrame() calls StoreFrame(), check if StoreFrame() reads
more than anmf_payload_size bytes from dmux->mem_. Treat that as PARSE_ERROR.

Change-Id: I0d03885c19d32792af78de7bed1a944ca01f1dc6
This commit is contained in:
Wan-Teh Chang 2020-11-17 07:22:36 +01:00 committed by Skal
parent 17fd4ba820
commit 4b3c6953ef

View File

@ -312,6 +312,7 @@ static ParseStatus ParseAnimationFrame(
int bits; int bits;
MemBuffer* const mem = &dmux->mem_; MemBuffer* const mem = &dmux->mem_;
Frame* frame; Frame* frame;
size_t start_offset;
ParseStatus status = ParseStatus status =
NewFrame(mem, ANMF_CHUNK_SIZE, frame_chunk_size, &frame); NewFrame(mem, ANMF_CHUNK_SIZE, frame_chunk_size, &frame);
if (status != PARSE_OK) return status; if (status != PARSE_OK) return status;
@ -332,7 +333,11 @@ static ParseStatus ParseAnimationFrame(
// Store a frame only if the animation flag is set there is some data for // Store a frame only if the animation flag is set there is some data for
// this frame is available. // this frame is available.
start_offset = mem->start_;
status = StoreFrame(dmux->num_frames_ + 1, anmf_payload_size, mem, frame); status = StoreFrame(dmux->num_frames_ + 1, anmf_payload_size, mem, frame);
if (status != PARSE_ERROR && mem->start_ - start_offset > anmf_payload_size) {
status = PARSE_ERROR;
}
if (status != PARSE_ERROR && is_animation && frame->frame_num_ > 0) { if (status != PARSE_ERROR && is_animation && frame->frame_num_ > 0) {
added_frame = AddFrame(dmux, frame); added_frame = AddFrame(dmux, frame);
if (added_frame) { if (added_frame) {