Changeset 284434 in webkit


Ignore:
Timestamp:
Oct 18, 2021 8:51:56 PM (9 months ago)
Author:
Jean-Yves Avenard
Message:

WebM with invalid size should fail to load with error
https://bugs.webkit.org/show_bug.cgi?id=231886
rdar://77969801

Reviewed by Jer Noble.

Source/WebCore:

libwebm for some elements are using a std::string or a std::vector<uint8_t>
to store their content. Those have infallible memory allocators.
We limit the size we allow the parser to use to some reasonable values.

Test: media/media-webm-invalid-check.html

  • platform/graphics/cocoa/SourceBufferParserWebM.cpp:

(WebCore::SourceBufferParserWebM::OnElementBegin):

LayoutTests:

  • media/content/invalid-size.webm: Added.
  • media/media-webm-invalid-check-expected.txt: Added.
  • media/media-webm-invalid-check.html: Added.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r284429 r284434  
     12021-10-18  Jean-Yves Avenard  <jya@apple.com>
     2
     3        WebM with invalid size should fail to load with error
     4        https://bugs.webkit.org/show_bug.cgi?id=231886
     5        rdar://77969801
     6
     7        Reviewed by Jer Noble.
     8
     9        * media/content/invalid-size.webm: Added.
     10        * media/media-webm-invalid-check-expected.txt: Added.
     11        * media/media-webm-invalid-check.html: Added.
     12
    1132021-10-18  Commit Queue  <commit-queue@webkit.org>
    214

  • trunk/Source/WebCore/ChangeLog

    r284432 r284434  
     12021-10-18  Jean-Yves Avenard  <jya@apple.com>
     2
     3        WebM with invalid size should fail to load with error
     4        https://bugs.webkit.org/show_bug.cgi?id=231886
     5        rdar://77969801
     6
     7        Reviewed by Jer Noble.
     8
     9        libwebm for some elements are using a std::string or a std::vector<uint8_t>
     10        to store their content. Those have infallible memory allocators.
     11        We limit the size we allow the parser to use to some reasonable values.
     12
     13        Test: media/media-webm-invalid-check.html
     14
     15        * platform/graphics/cocoa/SourceBufferParserWebM.cpp:
     16        (WebCore::SourceBufferParserWebM::OnElementBegin):
     17
    1182021-10-18  Alan Bujtas  <zalan@apple.com>
    219

  • trunk/Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.cpp

    r282865 r284434  
    835835    INFO_LOG_IF_POSSIBLE(LOGIDENTIFIER, "state(", oldState, "->", m_state, "), id(", metadata.id, "), position(", metadata.position, "), headerSize(", metadata.header_size, "), size(", metadata.size, ")");
    836836
     837    // Apply some sanity check; libwebm::StringParser will read the content into a std::string and ByteParser into a std::vector
     838    std::optional<size_t> maxElementSizeAllowed;
     839    switch (metadata.id) {
     840    case Id::kChapterStringUid:
     841    case Id::kChapString:
     842    case Id::kChapLanguage:
     843    case Id::kChapCountry:
     844    case Id::kDocType:
     845    case Id::kTitle:
     846    case Id::kMuxingApp:
     847    case Id::kWritingApp:
     848    case Id::kTagName:
     849    case Id::kTagLanguage:
     850    case Id::kTagString:
     851    case Id::kTargetType:
     852    case Id::kName:
     853    case Id::kLanguage:
     854    case Id::kCodecId:
     855    case Id::kCodecName:
     856        maxElementSizeAllowed = 1 * 1024 * 1024; // 1MiB
     857        break;
     858    case Id::kBlockAdditional:
     859    case Id::kContentEncKeyId:
     860    case Id::kProjectionPrivate:
     861    case Id::kTagBinary:
     862        maxElementSizeAllowed = 16 * 1024 * 1024; // 16MiB
     863        break;
     864    default:
     865        break;
     866    }
     867    if (maxElementSizeAllowed && metadata.size >= *maxElementSizeAllowed)
     868        return Status(Status::kNotEnoughMemory);
     869
    837870    return Status(Status::kOkCompleted);
    838871}
Note: See TracChangeset for help on using the changeset viewer.