guix/gnu/packages/patches/icecat-CVE-2016-2814.patch

# HG changeset patch
# User Jean-Yves Avenard <jyavenard@mozilla.com>
# Date 1460655260 25200
# Node ID a13c0bc84d6eb132f4199f563fbe228d2d3b3a51
# Parent  88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
Bug 1254721: Ensure consistency between Cenc offsets and sizes table. r=gerald a=sylvestre

MozReview-Commit-ID: E1KbKIIBR87

diff --git a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
@@ -612,18 +612,18 @@ status_t
 SampleTable::parseSampleCencInfo() {
     if ((!mCencDefaultSize && !mCencInfoCount) || mCencOffsets.isEmpty()) {
         // We don't have all the cenc information we need yet. Quietly fail and
         // hope we get the data we need later in the track header.
         ALOGV("Got half of cenc saio/saiz pair. Deferring parse until we get the other half.");
         return OK;
     }
 
-    if (!mCencSizes.isEmpty() && mCencOffsets.size() > 1 &&
-        mCencSizes.size() != mCencOffsets.size()) {
+    if ((mCencOffsets.size() > 1 && mCencOffsets.size() < mCencInfoCount) ||
+        (!mCencDefaultSize && mCencSizes.size() < mCencInfoCount)) {
         return ERROR_MALFORMED;
     }
 
     if (mCencInfoCount > kMAX_ALLOCATION / sizeof(SampleCencInfo)) {
         // Avoid future OOM.
         return ERROR_MALFORMED;
     }