From f358c4dfa98a079816afe53f0449d5f1ce93244c Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Thu, 7 May 2020 13:36:54 +0200
Subject: Issue #1536 - Part 1: Add timecode checking for the WebM parser

---
 dom/media/webm/WebMBufferedParser.cpp | 9 +++++++++
 dom/media/webm/WebMBufferedParser.h   | 4 ++++
 2 files changed, 13 insertions(+)

(limited to 'dom')

diff --git a/dom/media/webm/WebMBufferedParser.cpp b/dom/media/webm/WebMBufferedParser.cpp
index 21154ab4b..0f6b0cd54 100644
--- a/dom/media/webm/WebMBufferedParser.cpp
+++ b/dom/media/webm/WebMBufferedParser.cpp
@@ -113,6 +113,7 @@ bool WebMBufferedParser::Append(const unsigned char* aBuffer, uint32_t aLength,
         } else {
           mClusterEndOffset = -1;
         }
+        mGotClusterTimecode = false;
         mState = READ_ELEMENT_ID;
         break;
       case BLOCKGROUP_ID:
@@ -121,6 +122,11 @@ bool WebMBufferedParser::Append(const unsigned char* aBuffer, uint32_t aLength,
       case SIMPLEBLOCK_ID:
         /* FALLTHROUGH */
       case BLOCK_ID:
+        if (!mGotClusterTimecode) {
+          WEBM_DEBUG("The Timecode element must appear before any Block or "
+                     "SimpleBlock elements in a Cluster");
+          return false;
+        }
         mBlockSize = mElement.mSize.mValue;
         mBlockTimecode = 0;
         mBlockTimecodeLength = BLOCK_TIMECODE_LENGTH;
@@ -164,6 +170,7 @@ bool WebMBufferedParser::Append(const unsigned char* aBuffer, uint32_t aLength,
       break;
     case READ_TIMECODESCALE:
       if (!mGotTimecodeScale) {
+        WEBM_DEBUG("Should get the SegmentInfo first");
         return false;
       }
       mTimecodeScale = mVInt.mValue;
@@ -171,6 +178,7 @@ bool WebMBufferedParser::Append(const unsigned char* aBuffer, uint32_t aLength,
       break;
     case READ_CLUSTER_TIMECODE:
       mClusterTimecode = mVInt.mValue;
+      mGotClusterTimecode = true;
       mState = READ_ELEMENT_ID;
       break;
     case READ_BLOCK_TIMECODE:
@@ -190,6 +198,7 @@ bool WebMBufferedParser::Append(const unsigned char* aBuffer, uint32_t aLength,
             // Don't insert invalid negative timecodes.
             if (mBlockTimecode >= 0 || mClusterTimecode >= uint16_t(abs(mBlockTimecode))) {
               if (!mGotTimecodeScale) {
+                WEBM_DEBUG("Should get the TimecodeScale first");
                 return false;
               }
               uint64_t absTimecode = mClusterTimecode + mBlockTimecode;
diff --git a/dom/media/webm/WebMBufferedParser.h b/dom/media/webm/WebMBufferedParser.h
index bc3de4ba0..858653fc1 100644
--- a/dom/media/webm/WebMBufferedParser.h
+++ b/dom/media/webm/WebMBufferedParser.h
@@ -75,6 +75,7 @@ struct WebMBufferedParser
     , mSkipBytes(0)
     , mTimecodeScale(1000000)
     , mGotTimecodeScale(false)
+    , mGotClusterTimecode(false)
   {
     if (mStartOffset != 0) {
       mState = FIND_CLUSTER_SYNC;
@@ -260,6 +261,9 @@ private:
   // True if we read the timecode scale from the segment info or have
   // confirmed that the default value is to be used.
   bool mGotTimecodeScale;
+
+  // True if we've read the cluster time code.
+  bool mGotClusterTimecode;
 };
 
 class WebMBufferedState final
-- 
cgit v1.2.3