diff options
| author | Pale Moon <git-repo@palemoon.org> | 2018-03-15 14:53:20 +0100 |
|---|---|---|
| committer | Pale Moon <git-repo@palemoon.org> | 2018-03-19 12:21:50 +0100 |
| commit | 3dc01fb9e384c556e853b785b6852401a618604a (patch) | |
| tree | d903a6751e919aee1854a8e084915947a6c819b3 | |
| parent | 8f1b656dbe4d6ffcfef04ec351be1482ef70ce1b (diff) | |
| download | palemoon-3dc01fb9e384c556e853b785b6852401a618604a.tar.gz | |
Check plane width & stride constraints.
| -rw-r--r-- | dom/media/MediaData.cpp | 2 | ||||
| -rw-r--r-- | gfx/layers/ImageContainer.cpp | 23 |
2 files changed, 14 insertions, 11 deletions
diff --git a/dom/media/MediaData.cpp b/dom/media/MediaData.cpp index ddcbd9efd..abae9ad29 100644 --- a/dom/media/MediaData.cpp +++ b/dom/media/MediaData.cpp @@ -76,7 +76,7 @@ ValidatePlane(const VideoData::YCbCrBuffer::Plane& aPlane) return aPlane.mWidth <= PlanarYCbCrImage::MAX_DIMENSION && aPlane.mHeight <= PlanarYCbCrImage::MAX_DIMENSION && aPlane.mWidth * aPlane.mHeight < MAX_VIDEO_WIDTH * MAX_VIDEO_HEIGHT && - aPlane.mStride > 0; + aPlane.mStride > 0 && aPlane.mWidth <= aPlane.mStride; } #ifdef MOZ_WIDGET_GONK diff --git a/gfx/layers/ImageContainer.cpp b/gfx/layers/ImageContainer.cpp index 1f19a6bec..db3ecbf3e 100644 --- a/gfx/layers/ImageContainer.cpp +++ b/gfx/layers/ImageContainer.cpp @@ -366,12 +366,15 @@ static void CopyPlane(uint8_t *aDst, const uint8_t *aSrc, const gfx::IntSize &aSize, int32_t aStride, int32_t aSkip) { + int32_t height = aSize.height; + int32_t width = aSize.width; + + MOZ_RELEASE_ASSERT(width <= aStride); + if (!aSkip) { // Fast path: planar input. - memcpy(aDst, aSrc, aSize.height * aStride); + memcpy(aDst, aSrc, height * aStride); } else { - int32_t height = aSize.height; - int32_t width = aSize.width; for (int y = 0; y < height; ++y) { const uint8_t *src = aSrc; uint8_t *dst = aDst; @@ -389,13 +392,11 @@ CopyPlane(uint8_t *aDst, const uint8_t *aSrc, void PlanarYCbCrImage::CopyData(const Data& aData) { - mData = aData; - // update buffer size // Use uint32_t throughout to match AllocateBuffer's param and mBufferSize const auto checkedSize = - CheckedInt<uint32_t>(mData.mCbCrStride) * mData.mCbCrSize.height * 2 + - CheckedInt<uint32_t>(mData.mYStride) * mData.mYSize.height; + CheckedInt<uint32_t>(aData.mCbCrStride) * aData.mCbCrSize.height * 2 + + CheckedInt<uint32_t>(aData.mYStride) * aData.mYSize.height; if (!checkedSize.isValid()) return; @@ -410,16 +411,18 @@ PlanarYCbCrImage::CopyData(const Data& aData) // update buffer size mBufferSize = size; + mData = aData; mData.mYChannel = mBuffer; mData.mCbChannel = mData.mYChannel + mData.mYStride * mData.mYSize.height; mData.mCrChannel = mData.mCbChannel + mData.mCbCrStride * mData.mCbCrSize.height; + mData.mYSkip = mData.mCbSkip = mData.mCrSkip = 0; CopyPlane(mData.mYChannel, aData.mYChannel, - mData.mYSize, mData.mYStride, mData.mYSkip); + aData.mYSize, aData.mYStride, aData.mYSkip); CopyPlane(mData.mCbChannel, aData.mCbChannel, - mData.mCbCrSize, mData.mCbCrStride, mData.mCbSkip); + aData.mCbCrSize, aData.mCbCrStride, aData.mCbSkip); CopyPlane(mData.mCrChannel, aData.mCrChannel, - mData.mCbCrSize, mData.mCbCrStride, mData.mCrSkip); + aData.mCbCrSize, aData.mCbCrStride, aData.mCrSkip); mSize = aData.mPicSize; } |