summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Glastonbury <dan.glastonbury@gmail.com>2018-02-20 16:16:10 -0500
committerwolfbeast <mcwerewolf@gmail.com>2018-03-14 11:02:02 +0100
commitf87d25ee403c69d4f19a910d7b18f96dd3da8d51 (patch)
tree67c7930d51eca9c60114f2ad0f1f47e9864b0591
parent5babf7dc56e5d8fcd566845bbc991989a5b1c7b1 (diff)
downloadUXP-f87d25ee403c69d4f19a910d7b18f96dd3da8d51.tar
UXP-f87d25ee403c69d4f19a910d7b18f96dd3da8d51.tar.gz
UXP-f87d25ee403c69d4f19a910d7b18f96dd3da8d51.tar.lz
UXP-f87d25ee403c69d4f19a910d7b18f96dd3da8d51.tar.xz
UXP-f87d25ee403c69d4f19a910d7b18f96dd3da8d51.zip
Bug 1428947 - Check plane width & stride constraints. r=mattwoodrow, a=ritu
MozReview-Commit-ID: 328ETwMdVnq --HG-- extra : rebase_source : e16b28d137de080f9d8495c6937e24ac16b16ab1
-rw-r--r--dom/media/MediaData.cpp2
-rw-r--r--gfx/layers/ImageContainer.cpp23
2 files changed, 14 insertions, 11 deletions
diff --git a/dom/media/MediaData.cpp b/dom/media/MediaData.cpp
index 0439a7473..4a52c22ae 100644
--- a/dom/media/MediaData.cpp
+++ b/dom/media/MediaData.cpp
@@ -90,7 +90,7 @@ ValidatePlane(const VideoData::YCbCrBuffer::Plane& aPlane)
return aPlane.mWidth <= PlanarYCbCrImage::MAX_DIMENSION &&
aPlane.mHeight <= PlanarYCbCrImage::MAX_DIMENSION &&
aPlane.mWidth * aPlane.mHeight < MAX_VIDEO_WIDTH * MAX_VIDEO_HEIGHT &&
- aPlane.mStride > 0;
+ aPlane.mStride > 0 && aPlane.mWidth <= aPlane.mStride;
}
#ifdef MOZ_WIDGET_GONK
diff --git a/gfx/layers/ImageContainer.cpp b/gfx/layers/ImageContainer.cpp
index 8072e0401..5e4019e86 100644
--- a/gfx/layers/ImageContainer.cpp
+++ b/gfx/layers/ImageContainer.cpp
@@ -438,12 +438,15 @@ static void
CopyPlane(uint8_t *aDst, const uint8_t *aSrc,
const gfx::IntSize &aSize, int32_t aStride, int32_t aSkip)
{
+ int32_t height = aSize.height;
+ int32_t width = aSize.width;
+
+ MOZ_RELEASE_ASSERT(width <= aStride);
+
if (!aSkip) {
// Fast path: planar input.
- memcpy(aDst, aSrc, aSize.height * aStride);
+ memcpy(aDst, aSrc, height * aStride);
} else {
- int32_t height = aSize.height;
- int32_t width = aSize.width;
for (int y = 0; y < height; ++y) {
const uint8_t *src = aSrc;
uint8_t *dst = aDst;
@@ -461,13 +464,11 @@ CopyPlane(uint8_t *aDst, const uint8_t *aSrc,
bool
RecyclingPlanarYCbCrImage::CopyData(const Data& aData)
{
- mData = aData;
-
// update buffer size
// Use uint32_t throughout to match AllocateBuffer's param and mBufferSize
const auto checkedSize =
- CheckedInt<uint32_t>(mData.mCbCrStride) * mData.mCbCrSize.height * 2 +
- CheckedInt<uint32_t>(mData.mYStride) * mData.mYSize.height;
+ CheckedInt<uint32_t>(aData.mCbCrStride) * aData.mCbCrSize.height * 2 +
+ CheckedInt<uint32_t>(aData.mYStride) * aData.mYSize.height;
if (!checkedSize.isValid())
return false;
@@ -482,16 +483,18 @@ RecyclingPlanarYCbCrImage::CopyData(const Data& aData)
// update buffer size
mBufferSize = size;
+ mData = aData;
mData.mYChannel = mBuffer.get();
mData.mCbChannel = mData.mYChannel + mData.mYStride * mData.mYSize.height;
mData.mCrChannel = mData.mCbChannel + mData.mCbCrStride * mData.mCbCrSize.height;
+ mData.mYSkip = mData.mCbSkip = mData.mCrSkip = 0;
CopyPlane(mData.mYChannel, aData.mYChannel,
- mData.mYSize, mData.mYStride, mData.mYSkip);
+ aData.mYSize, aData.mYStride, aData.mYSkip);
CopyPlane(mData.mCbChannel, aData.mCbChannel,
- mData.mCbCrSize, mData.mCbCrStride, mData.mCbSkip);
+ aData.mCbCrSize, aData.mCbCrStride, aData.mCbSkip);
CopyPlane(mData.mCrChannel, aData.mCrChannel,
- mData.mCbCrSize, mData.mCbCrStride, mData.mCrSkip);
+ aData.mCbCrSize, aData.mCbCrStride, aData.mCrSkip);
mSize = aData.mPicSize;
mOrigin = gfx::IntPoint(aData.mPicX, aData.mPicY);