Title: [286231] branches/safari-612-branch
- Revision
- 286231
- Author
- repst...@apple.com
- Date
- 2021-11-29 11:37:43 -0800 (Mon, 29 Nov 2021)
Log Message
Cherry-pick r284434. rdar://problem/77969801
WebM with invalid size should fail to load with error
https://bugs.webkit.org/show_bug.cgi?id=231886
rdar://77969801
Reviewed by Jer Noble.
Source/WebCore:
libwebm for some elements are using a std::string or a std::vector<uint8_t>
to store their content. Those have infallible memory allocators.
We limit the size we allow the parser to use to some reasonable values.
Test: media/media-webm-invalid-check.html
* platform/graphics/cocoa/SourceBufferParserWebM.cpp:
(WebCore::SourceBufferParserWebM::OnElementBegin):
LayoutTests:
* media/content/invalid-size.webm: Added.
* media/media-webm-invalid-check-expected.txt: Added.
* media/media-webm-invalid-check.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284434 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-612-branch/LayoutTests/ChangeLog (286230 => 286231)
--- branches/safari-612-branch/LayoutTests/ChangeLog 2021-11-29 19:37:39 UTC (rev 286230)
+++ branches/safari-612-branch/LayoutTests/ChangeLog 2021-11-29 19:37:43 UTC (rev 286231)
@@ -1,3 +1,45 @@
+2021-11-11 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r284434. rdar://problem/77969801
+
+ WebM with invalid size should fail to load with error
+ https://bugs.webkit.org/show_bug.cgi?id=231886
+ rdar://77969801
+
+ Reviewed by Jer Noble.
+
+ Source/WebCore:
+
+ libwebm for some elements are using a std::string or a std::vector<uint8_t>
+ to store their content. Those have infallible memory allocators.
+ We limit the size we allow the parser to use to some reasonable values.
+
+ Test: media/media-webm-invalid-check.html
+
+ * platform/graphics/cocoa/SourceBufferParserWebM.cpp:
+ (WebCore::SourceBufferParserWebM::OnElementBegin):
+
+ LayoutTests:
+
+ * media/content/invalid-size.webm: Added.
+ * media/media-webm-invalid-check-expected.txt: Added.
+ * media/media-webm-invalid-check.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284434 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-18 Jean-Yves Avenard <j...@apple.com>
+
+ WebM with invalid size should fail to load with error
+ https://bugs.webkit.org/show_bug.cgi?id=231886
+ rdar://77969801
+
+ Reviewed by Jer Noble.
+
+ * media/content/invalid-size.webm: Added.
+ * media/media-webm-invalid-check-expected.txt: Added.
+ * media/media-webm-invalid-check.html: Added.
+
2021-11-09 Alan Coon <alanc...@apple.com>
Cherry-pick r285389. rdar://problem/84380291
Added: branches/safari-612-branch/LayoutTests/media/content/invalid-size.webm (0 => 286231)
--- branches/safari-612-branch/LayoutTests/media/content/invalid-size.webm (rev 0)
+++ branches/safari-612-branch/LayoutTests/media/content/invalid-size.webm 2021-11-29 19:37:43 UTC (rev 286231)
@@ -0,0 +1 @@
+�Eߣ\xFFB\x82�AAAAAA\xC0t]@�\xFF\xFF��w�\x80����\xBB��S\xAC��M\x9Bt\x8DM\xBB\xF9\xFB\xFF\xFF�\x86a�\x86a�\x86�\xAC����I\xA9f\x88*Ա�
\ No newline at end of file
Added: branches/safari-612-branch/LayoutTests/media/media-webm-invalid-check-expected.txt (0 => 286231)
--- branches/safari-612-branch/LayoutTests/media/media-webm-invalid-check-expected.txt (rev 0)
+++ branches/safari-612-branch/LayoutTests/media/media-webm-invalid-check-expected.txt 2021-11-29 19:37:43 UTC (rev 286231)
@@ -0,0 +1,6 @@
+
+RUN(video.src = ""
+EVENT(error)
+Properly failed to load media OK
+END OF TEST
+
Added: branches/safari-612-branch/LayoutTests/media/media-webm-invalid-check.html (0 => 286231)
--- branches/safari-612-branch/LayoutTests/media/media-webm-invalid-check.html (rev 0)
+++ branches/safari-612-branch/LayoutTests/media/media-webm-invalid-check.html 2021-11-29 19:37:43 UTC (rev 286231)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>media-webm-no-duration</title>
+ <script src=""
+ <script>
+ window.addEventListener('load', async event => {
+ try {
+ window.video = document.querySelector('video');
+ run('video.src = ""
+ waitFor(video, 'error').then(e => {
+ passTest('Properly failed to load media');
+ endTest();
+ });
+ } catch(e) {
+ failTest(e);
+ }
+ });
+ </script>
+</head>
+<body>
+ <video controls></video>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (286230 => 286231)
--- branches/safari-612-branch/Source/WebCore/ChangeLog 2021-11-29 19:37:39 UTC (rev 286230)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog 2021-11-29 19:37:43 UTC (rev 286231)
@@ -1,3 +1,50 @@
+2021-11-11 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r284434. rdar://problem/77969801
+
+ WebM with invalid size should fail to load with error
+ https://bugs.webkit.org/show_bug.cgi?id=231886
+ rdar://77969801
+
+ Reviewed by Jer Noble.
+
+ Source/WebCore:
+
+ libwebm for some elements are using a std::string or a std::vector<uint8_t>
+ to store their content. Those have infallible memory allocators.
+ We limit the size we allow the parser to use to some reasonable values.
+
+ Test: media/media-webm-invalid-check.html
+
+ * platform/graphics/cocoa/SourceBufferParserWebM.cpp:
+ (WebCore::SourceBufferParserWebM::OnElementBegin):
+
+ LayoutTests:
+
+ * media/content/invalid-size.webm: Added.
+ * media/media-webm-invalid-check-expected.txt: Added.
+ * media/media-webm-invalid-check.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284434 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-18 Jean-Yves Avenard <j...@apple.com>
+
+ WebM with invalid size should fail to load with error
+ https://bugs.webkit.org/show_bug.cgi?id=231886
+ rdar://77969801
+
+ Reviewed by Jer Noble.
+
+ libwebm for some elements are using a std::string or a std::vector<uint8_t>
+ to store their content. Those have infallible memory allocators.
+ We limit the size we allow the parser to use to some reasonable values.
+
+ Test: media/media-webm-invalid-check.html
+
+ * platform/graphics/cocoa/SourceBufferParserWebM.cpp:
+ (WebCore::SourceBufferParserWebM::OnElementBegin):
+
2021-11-08 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r285236. rdar://problem/83950623
Modified: branches/safari-612-branch/Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.cpp (286230 => 286231)
--- branches/safari-612-branch/Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.cpp 2021-11-29 19:37:39 UTC (rev 286230)
+++ branches/safari-612-branch/Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.cpp 2021-11-29 19:37:43 UTC (rev 286231)
@@ -834,6 +834,39 @@
INFO_LOG_IF_POSSIBLE(LOGIDENTIFIER, "state(", oldState, "->", m_state, "), id(", metadata.id, "), position(", metadata.position, "), headerSize(", metadata.header_size, "), size(", metadata.size, ")");
+ // Apply some sanity check; libwebm::StringParser will read the content into a std::string and ByteParser into a std::vector
+ std::optional<size_t> maxElementSizeAllowed;
+ switch (metadata.id) {
+ case Id::kChapterStringUid:
+ case Id::kChapString:
+ case Id::kChapLanguage:
+ case Id::kChapCountry:
+ case Id::kDocType:
+ case Id::kTitle:
+ case Id::kMuxingApp:
+ case Id::kWritingApp:
+ case Id::kTagName:
+ case Id::kTagLanguage:
+ case Id::kTagString:
+ case Id::kTargetType:
+ case Id::kName:
+ case Id::kLanguage:
+ case Id::kCodecId:
+ case Id::kCodecName:
+ maxElementSizeAllowed = 1 * 1024 * 1024; // 1MiB
+ break;
+ case Id::kBlockAdditional:
+ case Id::kContentEncKeyId:
+ case Id::kProjectionPrivate:
+ case Id::kTagBinary:
+ maxElementSizeAllowed = 16 * 1024 * 1024; // 16MiB
+ break;
+ default:
+ break;
+ }
+ if (maxElementSizeAllowed && metadata.size >= *maxElementSizeAllowed)
+ return Status(Status::kNotEnoughMemory);
+
return Status(Status::kOkCompleted);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
