Fix crash on html5video.org by detecting inconsistent frame data

GStreamer is on this particular video sending us invalid dimensions that
would leave us to operate on invalid addresses. We ignore that frame and
print a warning to the log so the user might know their gstreamer plugin
is dangerously broken.

Task-number: QTBUG-44245
Change-Id: I476ec9822ff2f8210161a8642e16bbafb6786357
Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>

2 files changed, 5 insertions, 1 deletions

diff --git a/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp b/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp
index ece3c3f27..58db02696 100644
--- a/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp
+++ b/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp
@@ -45,6 +45,10 @@ ImageGStreamer::ImageGStreamer(GstBuffer* buffer, GstCaps* caps)
 #ifdef GST_API_VERSION_1
     gst_buffer_map(buffer, &m_mapInfo, GST_MAP_READ);
     uchar* bufferData = reinterpret_cast<uchar*>(m_mapInfo.data);
+    if (size.width() * size.height() * 4 > m_mapInfo.maxsize) {
+        qWarning("Ignoring dangerously invalid frame emitted by GStreamer.");
+        return;
+    }
 #else
     uchar* bufferData = reinterpret_cast<uchar*>(GST_BUFFER_DATA(buffer));
 #endif
diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
index 83c896c39..6235ae9be 100644
--- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
+++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
@@ -440,7 +440,7 @@ void MediaPlayerPrivateGStreamerBase::paint(GraphicsContext* context, const IntR
     }
 
     RefPtr<ImageGStreamer> gstImage = ImageGStreamer::createImage(m_buffer, caps.get());
-    if (!gstImage) {
+    if (!gstImage || !gstImage->image().get()) {
         g_mutex_unlock(m_bufferMutex);
         return;
     }