WebKit Bugzilla
Attachment 346386 Details for
Bug 188256
: Handle zero-sized ISOMP4 boxes appropriately
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188256-20180802175558.patch (text/plain), 2.75 KB, created by
Charlie Turner
on 2018-08-02 09:55:59 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Charlie Turner
Created:
2018-08-02 09:55:59 PDT
Size:
2.75 KB
patch
obsolete
>Subversion Revision: 234497 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 52ea76b9821a6a21f8aa9e8a945bf0634e1f7613..419e3343144262850361ede2b9351df9299a6ffc 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,39 @@ >+2018-08-02 Charlie Turner <cturner@igalia.com> >+ >+ Handle zero-sized ISOMP4 boxes appropriately >+ https://bugs.webkit.org/show_bug.cgi?id=188256 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ According to ISO/IEC 14496-12:2012(E), when the Box classes' size >+ field is zero, the implied size of the box extends to the end of >+ the file. If this detail is not taken into account, CENC >+ sanitization can incorrectly report an invalid box size, since 0 >+ != the number of bytes in this box, specifically, the data layout >+ of Box is as follows, >+ >+ aligned(8) class Box (unsigned int(32) boxtype, >+ optional unsigned int(8)[16] extended_type) { >+ unsigned int(32) size; >+ unsigned int(32) type = boxtype; >+ if (size==1) { >+ unsigned int(64) largesize; >+ } else if (size==0) { // This is the case now handled. >+ // box extends to end of file >+ } >+ if (boxtype==âuuidâ) { >+ unsigned int(8)[16] usertype = extended_type; >+ } >+ } >+ >+ Tested by imported/w3c/web-platform-tests/encrypted-media/clearkey-generate-request-disallowed-input.https.html >+ >+ * platform/graphics/iso/ISOBox.cpp: >+ (WebCore::ISOBox::peekBox): Check if the parsed size is zero, and >+ if it is, the size is calculated as the total number of bytes in >+ the incoming DataView. >+ (WebCore::ISOBox::parse): Ditto. >+ > 2018-08-02 Charlie Turner <cturner@igalia.com> > > [GStreamer] Stop pushing buffers when seeking status changes >diff --git a/Source/WebCore/platform/graphics/iso/ISOBox.cpp b/Source/WebCore/platform/graphics/iso/ISOBox.cpp >index 6400796d89d535dabd3281e16788e615db5538f4..c06e3a6338860f11eb0ebcfa438d3520266f5d48 100644 >--- a/Source/WebCore/platform/graphics/iso/ISOBox.cpp >+++ b/Source/WebCore/platform/graphics/iso/ISOBox.cpp >@@ -44,6 +44,8 @@ ISOBox::PeekResult ISOBox::peekBox(DataView& view, unsigned offset) > > if (size == 1 && !checkedRead<uint64_t>(size, view, offset, BigEndian)) > return std::nullopt; >+ else if (!size) >+ size = view.byteLength(); > > return std::make_pair(type, size); > } >@@ -74,6 +76,8 @@ bool ISOBox::parse(DataView& view, unsigned& offset) > > if (m_size == 1 && !checkedRead<uint64_t>(m_size, view, offset, BigEndian)) > return false; >+ else if (!m_size) >+ m_size = view.byteLength(); > > if (m_boxType == "uuid") { > struct ExtendedType {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=346386">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188256
:
346378
| 346386