New issue
Advanced search Search tips

Issue 675364 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

ParseScaling Overflow.

Reported by mishra.d...@gmail.com, Dec 17 2016 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

Steps to reproduce the problem:
Hi , 

https://chromium.googlesource.com/dart/dartium/src/+/releases/1650/content/common/gpu/media/h264_parser.cc 

// Parse scaling_list4x4
Where as : res = ParseScalingList(sizeof(sps->scaling_list4x4[i]),
                       sps->scaling_list4x4[i], &use_default);

sizeof(sps->scaling_list4x4[i]) 
Is used in the function as a count of int elements which can cause an overflow.

What is the expected behavior?

What went wrong?
sizeof(sps->scaling_list4x4[i])

Did this work before? N/A 

Chrome version: 53.0.2785.143 (Developer Build) Built on Ubuntu , running on Ubuntu 16.04 (64-bit)  Channel: n/a
OS Version: V8 5.3.332.47
Flash Version: Shockwave Flash 11.2 r202

This might cause an Overflow !

Comment 1 by mbarbe...@chromium.org, Dec 19 2016

Status: WontFix (was: Unconfirmed)
It might, but there are many potential false positives when looking for issues like this. Validation may be done in another place. If you have a reproduction case that affects chrome, please file a new bug.
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment