1 files changed, 32 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
new file mode 100644
index 0000000000..854c91b8aa
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
@@ -0,0 +1,32 @@
+From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jyavenard@mozilla.com>
+Date: Wed, 9 Dec 2015 09:54:58 +0100
+Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
+ r=kentuckyfriedtakahe, a=sylvestre
+
+---
+ .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp            | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+index 22163fa..318152a 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
+     CHECK_NE(err, (status_t)NO_INIT);
+ 
+     // copy pssh data into file metadata
+-    int psshsize = 0;
++    uint64_t psshsize = 0;
+     for (size_t i = 0; i < mPssh.size(); i++) {
+         psshsize += 20 + mPssh[i].datalen;
+     }
++    if (psshsize > kMAX_ALLOCATION) {
++        return ERROR_MALFORMED;
++    }
+     if (psshsize) {
+         char *buf = (char*)malloc(psshsize);
+         char *ptr = buf;
+-- 
+2.6.3
+