[prev in list] [next in list] [prev in thread] [next in thread]
List: helix-datatype-cvs
Subject: [Datatype-cvs] avi/fileformat avistrm.cpp,1.22.4.32,1.22.4.33
From: jcroker () helixcommunity ! org
Date: 2012-06-14 16:47:13
[Download RAW message or body]
Update of /cvsroot/datatype/avi/fileformat
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv24740
Modified Files:
Tag: hxclient_4_2_0_brizo
avistrm.cpp
Log Message:
"Nokia submits this code under the terms of a commercial contribution agreement with \
Real Networks, and I am authorized to contribute this code under said agreement."
Modified by: ext-chandra.2.kumar@nokia.com
Reviewed by: ext-antti.ju.turunen@nokia.com, qluo@realnetworks.com
RC Id: 994789
Change Id: ou1cimx1#1005576
Date: 06/06/2012
Project: SymbianMmf_wm
Synopsis: There are several crashes on different device while performing special \
performance build. One of the case in which program counter reaches at location \
Exec::ServerCancel(int)
Overview: m_pShutdownObj is not checked against NULL before destruction. Deleting \
already freed memory can cause crash.
Fix: checked m_pShutdownObj against NULL before deletion using macro HX_DELETE.
Files modified & changes: src/common/system/platform/symbian/CHXSymbianServer.cpp
Synopsis: There are several crashes on different device while performing special \
performance build. One of the case in which program counter reaches at location \
memcpy(EXPORTED)
Overview: Function memcpy second parameter m_pFormat range is not checked before \
copying data from it. Accessing memory out of valid range can cause crash.
Fix: Checked valid range of memory allocated for m_pFormat before copying data. \
m_pFormat has memory allocation of size ( m_pFormatLen = len + nPadding) for case \
AVI_AUDS_TYPE. memcpy function trying to read bytes of size pWaveInfo->usSize and \
reading will start from the memory location (base address of m_pFormat + \
sizeof(WaveInfo)). From this location pWaveInfo->usSize should not exceed \
m_pFormatLen.
Files modified & changes:
src/datatype/avi/fileformat/avistrm.cpp
src/datatype/avi/fileformat/pub/avistrm.h
Image Size and Heap Use impact: No major impact
Module Release testing (STIF) : Passed
Test case(s) Added : No
Memory leak check performed : N/A
Platforms and Profiles Functionality verified: armv5
MCL Branch: 420 brizo
Diff: Attached
Index: avistrm.cpp
===================================================================
RCS file: /cvsroot/datatype/avi/fileformat/avistrm.cpp,v
retrieving revision 1.22.4.32
retrieving revision 1.22.4.33
diff -u -d -r1.22.4.32 -r1.22.4.33
--- avistrm.cpp 30 May 2012 13:37:54 -0000 1.22.4.32
+++ avistrm.cpp 14 Jun 2012 16:47:10 -0000 1.22.4.33
@@ -346,6 +346,7 @@
, m_pSuperIndex(NULL)
, m_ulTargetSeekTime(0)
, m_ulNStdIndexEntries(0)
+ , m_ulFormatLen(0)
#endif
{
HXLOGL2(HXLOG_AVIX, "CAVIStream[%p]::CAVIStream() CTOR", this);
@@ -641,7 +642,7 @@
{
nPadding = 0;
}
-
+ m_ulFormatLen = len + nPadding;
m_pFormat = new UCHAR[len + nPadding];
memcpy(m_pFormat, buf, len);
@@ -1092,9 +1093,11 @@
{
UINT32 len;
waveHeader.pack(pOpaqueData->GetBuffer(), len);
-
- memcpy(pOpaqueData->GetBuffer() + waveHeader.static_size(),
- m_pFormat + sizeof(WaveInfo), pWaveInfo->usSize);
+ if(sizeof(WaveInfo)+ pWaveInfo->usSize <= m_ulFormatLen)
+ {
+ memcpy(pOpaqueData->GetBuffer() + \
waveHeader.static_size(), + m_pFormat + \
sizeof(WaveInfo), pWaveInfo->usSize); + }
}
}
else
_______________________________________________
Datatype-cvs mailing list
Datatype-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/datatype-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic