From 14ac682365925234f1f7bc3572f185b69f798814 Mon Sep 17 00:00:00 2001 From: "dalecurtis@chromium.org" Date: Tue, 13 Aug 2013 19:18:44 +0000 Subject: Fix undefined behavior due to negative bitshifting. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported externally here: http://www.viva64.com/en/b/0205/ Relevant C++ spec: The value of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are zero-filled. If E1 has an unsigned type, the value of the result is E1 × 2E^2, reduced modulo one more than the maximum value representable in the result type. Otherwise, if E1 has a signed type and non-negative value, and E1×2E^2 is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined. BUG=271530 TEST=media_unittests Review URL: https://chromiumcodereview.appspot.com/22950002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@217307 0039d316-1c4b-4281-b951-d872f2087c98 --- media/webm/webm_cluster_parser.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'media/webm/webm_cluster_parser.cc') diff --git a/media/webm/webm_cluster_parser.cc b/media/webm/webm_cluster_parser.cc index f83a365..9991d6b 100644 --- a/media/webm/webm_cluster_parser.cc +++ b/media/webm/webm_cluster_parser.cc @@ -214,7 +214,7 @@ bool WebMClusterParser::ParseBlock(bool is_simple_block, const uint8* buf, // Sign extend negative timecode offsets. if (timecode & 0x8000) - timecode |= (-1 << 16); + timecode |= ~0xffff; const uint8* frame_data = buf + 4; int frame_size = size - (frame_data - buf); @@ -277,6 +277,8 @@ bool WebMClusterParser::OnBlock(bool is_simple_block, int track_num, return false; } + // TODO(acolwell): Should relative negative timecode offsets be rejected? Or + // only when the absolute timecode is negative? See http://crbug.com/271794 if (timecode < 0) { MEDIA_LOG(log_cb_) << "Got a block with negative timecode offset " << timecode; -- cgit v1.1