In many places, the existing code uses with_capacity to preallocate a container in preparation as an optimization for parsing the following fields. In cases where the capacity is read directly from a field in the file and passed to with_capacity, it's trivial for an invalid file to trigger a controlled OOM crash by specifying a sufficiently large size.
This is intended to fix the crash mentioned in BMO 1813063 comment 14, triggered by a fuzzer generated file containing an stsd box reporting 738197505 entries in the sample description table (but only containing 1).
I've replaced each case where we read a u32 or larger field directly from the file and use it as a size hint for with_capacity to calls to the trivial wrappers vec_with_capacity_hint and hashmap_with_capacity_hint that limit the maximum preallocation size to the arbitrary value of 1MB CAPACITY_HINT_LIMIT.
In many places, the existing code uses
with_capacityto preallocate a container in preparation as an optimization for parsing the following fields. In cases where the capacity is read directly from a field in the file and passed towith_capacity, it's trivial for an invalid file to trigger a controlled OOM crash by specifying a sufficiently large size.This is intended to fix the crash mentioned in BMO 1813063 comment 14, triggered by a fuzzer generated file containing an stsd box reporting 738197505 entries in the sample description table (but only containing 1).
I've replaced each case where we read a u32 or larger field directly from the file and use it as a size hint for
with_capacityto calls to the trivial wrappersvec_with_capacity_hintandhashmap_with_capacity_hintthat limit the maximum preallocation size to the arbitrary value of 1MBCAPACITY_HINT_LIMIT.