[webkit-changes] [WebKit/WebKit] 25257b: [WebRTC] Incorrect length check in getSequenceHead...
Commit Queue
noreply at github.com
Mon Mar 11 08:31:48 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 25257b2a5f814303f58c5f826d2ce6b05a9bd56a
https://github.com/WebKit/WebKit/commit/25257b2a5f814303f58c5f826d2ce6b05a9bd56a
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/platform/video-codecs/cocoa/RTCVideoDecoderVTBAV1.mm
Log Message:
-----------
[WebRTC] Incorrect length check in getSequenceHeaderOBU() for AV1 decoder support
https://bugs.webkit.org/show_bug.cgi?id=270760
<rdar://124334942>
Reviewed by Youenn Fablet.
* Source/WebCore/platform/video-codecs/cocoa/RTCVideoDecoderVTBAV1.mm:
(BitReader::readBit):
- Make method private since it's only used within the class.
(readULEBSize):
- Move std::numeric_limits<uint32_t>::max() check after `value` is
computed. This was a secondary bug that caused unsigned integer
overflow in getSequenceHeaderOBU().
(getSequenceHeaderOBU):
- Change `payloadSize` to be a Checked<size_t> variable.
- Fix length check to include `index + payloadSize`. This was the
original bug that caused more than data.size() bytes to be read.
Canonical link: https://commits.webkit.org/275904@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list