Add extra checks to avoid integer overflow.

BUG=425980 TEST=no crash with ASAN Review URL: https://codereview.chromium.org/659743004 Cr-Commit-Position: refs/heads/master@{#301249}
280723148 · Oct 25, 2014 · b2006ac · b2006ac
1 parent 55aa718
commit b2006ac
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/media/base/container_names.cc b/media/base/container_names.cc
@@ -954,7 +954,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) {
 
   int offset = 0;
   while (offset + 8 < buffer_size) {
-    int atomsize = Read32(buffer + offset);
+    uint32 atomsize = Read32(buffer + offset);
     uint32 atomtype = Read32(buffer + offset + 4);
     // Only need to check for ones that are valid at the top level.
     switch (atomtype) {
@@ -985,7 +985,7 @@ static bool CheckMov(const uint8* buffer, int buffer_size) {
         break;  // Offset is way past buffer size.
       atomsize = Read32(buffer + offset + 12);
     }
-    if (atomsize <= 0)
+    if (atomsize == 0 || atomsize > static_cast<size_t>(buffer_size))
       break;  // Indicates the last atom or length too big.
     offset += atomsize;
   }