| Summary: | [GTK] Add an overflow check to remove the gcc warning since r270506. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Joonghun Park <jh718.park> | ||||
| Component: | WebCore Misc. | Assignee: | Joonghun Park <jh718.park> | ||||
| Status: | RESOLVED INVALID | ||||||
| Severity: | Normal | CC: | darin, eric.carlson, ews-watchlist, glenn, hta, jer.noble, philipj, sergio, tommyw, youennf | ||||
| Priority: | P2 | ||||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Joonghun Park
2020-12-08 00:43:43 PST
Created attachment 415616 [details]
Patch
Comment on attachment 415616 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=415616&action=review > Source/WebCore/Modules/mediastream/H264Utils.cpp:138 > + if (spsPpsLength > std::numeric_limits<size_t>::max() - 2) { > + ASSERT_NOT_REACHED(); > + return { }; > + } Vector::resize will call CRASH if the size is too large. This instead returns an empty buffer. I don’t think there’s a good reason to be inconsistent about this. So this should just be CRASH(). An alternate way to do this would be to use checked arithmetic. CheckedSize exists for cases like this. That fix would be below. > Source/WebCore/Modules/mediastream/H264Utils.cpp:141 > buffer.resize(spsPpsLength + 2); Could do this instead: buffer.grow((CheckedSize(spsPpsLength) + 2).unsafeGet()); Using unsafeGet gives us the same crash behavior as Vector::resize. Using Vector::grow instead of Vector::resize is the best practice when starting with a new vector, skips unneeded logic for shrinking the buffer. Doing it this way has the advantage of tying the check directly to the arithmetic instead of having to make sure the preflight matches the arithmetic below. This file and the statement caused the build warning no longer exist, so the build warning was removed. |