Skip to content

Commit 5c94c92

Browse files
SyedAbuTalibmibrunin
SyedAbuTalib
authored and
mibrunin
committed
[Backport] Security bug 379715150
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/6032156: Use temporary variable to prevent heap-use-after-free There is a UAF in stable as DecoderBuffer::side_data() returns a temporary object. Raw pointers into its owned members will be dangling (seen in next line) Also, this was fixed in https://chromium-review.googlesource.com/c/chromium/src/+/5893004 but that is in M132, not M131. Bug: 379715150 Change-Id: I52e95503c4c5daaed58514a1d007335c1a3cab74 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6032156 Reviewed-by: Thomas Guilbert <[email protected]> Commit-Queue: Syed AbuTalib <[email protected]> Reviewed-by: Dale Curtis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1385358} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615721 Reviewed-by: Anu Aliyas <[email protected]>
1 parent 7a4fd50 commit 5c94c92

File tree

1 file changed

+3
-5
lines changed

1 file changed

+3
-5
lines changed

chromium/media/gpu/v4l2/v4l2_vp9_helpers.cc

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -104,16 +104,14 @@ bool OverwriteShowFrame(base::span<uint8_t> frame_data,
104104

105105
bool AppendVP9SuperFrameIndex(scoped_refptr<DecoderBuffer>& buffer) {
106106
DCHECK(buffer->has_side_data());
107-
DCHECK(!buffer->side_data()->spatial_layers.empty());
107+
std::vector<uint32_t> frame_sizes = buffer->side_data()->spatial_layers;
108+
DCHECK(!frame_sizes.empty());
108109

109-
const size_t num_of_layers = buffer->side_data()->spatial_layers.size();
110-
if (num_of_layers > 3u) {
110+
if (frame_sizes.size() > 3u) {
111111
LOG(ERROR) << "The maximum number of spatial layers in VP9 is three";
112112
return false;
113113
}
114114

115-
const uint32_t* cue_data = buffer->side_data()->spatial_layers.data();
116-
std::vector<uint32_t> frame_sizes(cue_data, cue_data + num_of_layers);
117115
std::vector<uint8_t> superframe_index = CreateSuperFrameIndex(frame_sizes);
118116
const size_t vp9_superframe_size = buffer->size() + superframe_index.size();
119117
auto vp9_superframe = base::HeapArray<uint8_t>::Uninit(vp9_superframe_size);

0 commit comments

Comments
 (0)