ref: fc6ea7e5a8d65a5b1c56d84fe7204b6983cb6a7d
parent: 9a55a8609e35dc3bafaeab1deb1c3cce281d4e67
author: Ethan Hugg <ethanhugg@gmail.com>
date: Wed Jan 14 10:28:55 EST 2015
gmp-openh264 check buffer length before we overwrite with start code.
--- a/module/gmp-openh264.cpp
+++ b/module/gmp-openh264.cpp
@@ -622,7 +622,9 @@
case GMP_BufferLength32: {uint8_t* start_code = inputFrame->Buffer();
- while (start_code < inputFrame->Buffer() + inputFrame->Size()) {+ // start code should be at least four bytes from the end or we risk
+ // reading/writing outside the buffer.
+ while (start_code < inputFrame->Buffer() + inputFrame->Size() - 4) { static const uint8_t code[] = { 0x00, 0x00, 0x00, 0x01 };uint8_t* lenp = start_code;
start_code += * (reinterpret_cast<int32_t*> (lenp));