WebKit Bugzilla
Attachment 346378 Details for
Bug 188256
: Handle zero-sized ISOMP4 boxes appropriately
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188256-20180802144905.patch (text/plain), 2.41 KB, created by
Charlie Turner
on 2018-08-02 06:49:06 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Charlie Turner
Created:
2018-08-02 06:49:06 PDT
Size:
2.41 KB
patch
obsolete
>Subversion Revision: 234497 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 52ea76b9821a6a21f8aa9e8a945bf0634e1f7613..4016d4267e100c22e23f64854f398a5873e69384 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,38 @@ >+2018-08-02 Charlie Turner <cturner@igalia.com> >+ >+ Handle zero-sized ISOMP4 boxes appropriately >+ https://bugs.webkit.org/show_bug.cgi?id=188256 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ According to ISO/IEC 14496-12:2012(E), when the Box classes' size >+ field is zero, the implied size of the box extends to the end of >+ the file. If this detail is not taken into account, CENC >+ sanitization can incorrectly report an invalid box size, since 0 >+ != the number of bytes in this box, specifically, the data layout >+ of Box is as follows, >+ >+ aligned(8) class Box (unsigned int(32) boxtype, >+ optional unsigned int(8)[16] extended_type) { >+ unsigned int(32) size; >+ unsigned int(32) type = boxtype; >+ if (size==1) { >+ unsigned int(64) largesize; >+ } else if (size==0) { // This is the case now handled. >+ // box extends to end of file >+ } >+ if (boxtype==âuuidâ) { >+ unsigned int(8)[16] usertype = extended_type; >+ } >+ } >+ >+ Tested by imported/w3c/web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https.html >+ >+ * platform/graphics/iso/ISOBox.cpp: >+ (WebCore::ISOBox::peekBox): Check if the parsed size is zero, and >+ if it is, the size is calculated as the total number of bytes in >+ the incoming DataView. >+ > 2018-08-02 Charlie Turner <cturner@igalia.com> > > [GStreamer] Stop pushing buffers when seeking status changes >diff --git a/Source/WebCore/platform/graphics/iso/ISOBox.cpp b/Source/WebCore/platform/graphics/iso/ISOBox.cpp >index 6400796d89d535dabd3281e16788e615db5538f4..0374f8d6f7d0eedab7abb39c98d67c9241d36b2d 100644 >--- a/Source/WebCore/platform/graphics/iso/ISOBox.cpp >+++ b/Source/WebCore/platform/graphics/iso/ISOBox.cpp >@@ -44,6 +44,8 @@ ISOBox::PeekResult ISOBox::peekBox(DataView& view, unsigned offset) > > if (size == 1 && !checkedRead<uint64_t>(size, view, offset, BigEndian)) > return std::nullopt; >+ else if (!size) >+ size = view.byteLength(); > > return std::make_pair(type, size); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=346378">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188256
:
346378
|
346386