1 files changed, 35 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-2814.patch b/gnu/packages/patches/icecat-CVE-2016-2814.patch
new file mode 100644
index 0000000000..5f197f25e6
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2814.patch
@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Jean-Yves Avenard <jyavenard@mozilla.com>
+# Date 1460655260 25200
+# Node ID a13c0bc84d6eb132f4199f563fbe228d2d3b3a51
+# Parent  88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
+Bug 1254721: Ensure consistency between Cenc offsets and sizes table. r=gerald a=sylvestre
+
+MozReview-Commit-ID: E1KbKIIBR87
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
+--- a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
+@@ -612,18 +612,18 @@ status_t
+ SampleTable::parseSampleCencInfo() {
+     if ((!mCencDefaultSize && !mCencInfoCount) || mCencOffsets.isEmpty()) {
+         // We don't have all the cenc information we need yet. Quietly fail and
+         // hope we get the data we need later in the track header.
+         ALOGV("Got half of cenc saio/saiz pair. Deferring parse until we get the other half.");
+         return OK;
+     }
+ 
+-    if (!mCencSizes.isEmpty() && mCencOffsets.size() > 1 &&
+-        mCencSizes.size() != mCencOffsets.size()) {
++    if ((mCencOffsets.size() > 1 && mCencOffsets.size() < mCencInfoCount) ||
++        (!mCencDefaultSize && mCencSizes.size() < mCencInfoCount)) {
+         return ERROR_MALFORMED;
+     }
+ 
+     if (mCencInfoCount > kMAX_ALLOCATION / sizeof(SampleCencInfo)) {
+         // Avoid future OOM.
+         return ERROR_MALFORMED;
+     }
+ 
+