[cocoa] AVStreamDataParser accepts media segments not preceded by an init segment
4ed0007
LayoutTests/media/media-source/media-source-append-media-before-init.html
+function makeFreeBox(size) {
+ var buffer = new ArrayBuffer(size);
+ var view = new DataView(buffer);
+ view.setUint32(0, size);
+ view.setUint32(4, 0x66726565); // 'free'
+ return buffer;
+}
WebKit's MSE implementation on Cocoa delegates ISO-BMFF parsing to AVStreamDataParser, an AVFoundation private API. The MSE spec mandates a strict ordering: an initialization segment (ftyp+moov) must precede any media segment (moof+mdat). AVStreamDataParser does not enforce this itself — it produces CMSampleBuffers with null CMFormatDescription that fail downstream. Mid-stream format changes (a new ftyp arriving without a preceding abort()/changeType()) trigger an internal CoreMedia -16046 error from MoofManifold that is swallowed silently.
This commit adds a new ISOBMFFPreParser upstream of AVStreamDataParser. It walks ISO-BMFF box headers across appendData() boundaries — without parsing box contents — to reject media segments before any init segment and inject an AVStreamDataParserStreamDataDiscontinuity signal when a new ftyp appears mid-stream. The pre-parser uses BitReader rather than the existing ISOBox::peekBox (which requires JSC::DataView and routes through Gigacage) because SharedBuffer contents are not Gigacage-allocated and that path faults with EXC_BAD_ACCESS. The previously dead AppendFlags::Discontinuity code path is activated for the first time outside abort()/changeType().
Significance
A new stateful binary parser now sits in front of AVStreamDataParser on Apple platforms, walking ISO-BMFF box headers across appendData() boundaries on attacker-supplied, non-Gigacaged memory.
Audit directions
a Aaaaa Aaaa Aaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaa Aaaaa Aaaaaaaa Aaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaa Aaaaaaaa Aaaaa Aaaaa Aa Aa Aaaaaaaa Aa Aa Aaaaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaa Aa Aa Aaaaa Aa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aaaa Aaaaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaa a Aaaaaa Aaaaaaaaaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaa Aaaaaa Aaaaa Aaa Aaaaaaaaa Aaaaaaaaa Aaaa Aaa Aaa Aaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaa Aaaaaaaaa
a Aaaaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaa Aaa Aaaaaaaaaaaaaa Aaaaa Aaa Aaaaaaaaaaa Aaa a Aaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaa Aa Aaa Aaaa Aaaaa Aaa Aaaaaaaa Aaa Aaaaaaaa Aaaaa Aaaaaaa Aaa Aaaaaaaa Aaaa Aa Aaa Aaaaaaaaaaa Aaaaaaaaaaaaaa a Aaaaa Aaaaaaa Aa Aa Aaaa Aaaaaaa Aa Aaaa Aaaaaa
a Aaaaaaaa Aaaaa Aaaaaaaa Aaaa a Aaa Aaaaaa Aa Aaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaa a Aaaa Aaaaaa Aaa Aaaaaa Aaa Aaaaaaaaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaaaaa Aaaaaa a Aaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaa Aaaaa Aa Aaaaa Aaa Aaaaaaa Aa Aaaaa Aaa Aaaaaa Aaaaaaaaa a Aaaaa Aaaa Aaaaaaaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaa
a Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaa Aaa Aaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aa Aaaaaaaaaa Aaaaaaaa Aaaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaa Aa Aa Aa Aaaa Aaa Aaaa Aaaaaaaa Aaaa Aaaaa Aaaa Aaaaaa Aa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaa
a Aaaaaaaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaa Aaaaaa Aaa Aaaa Aaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaaa Aaaa Aaa Aaa Aaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aaaaaa Aaaaaa Aaaaaa Aaa a Aaaaaaaaa Aaaaaa Aaaa Aaaaaaa Aaaa Aaaa Aaaaaaaa Aa Aaaaaaaa Aaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaa
🔒The new binary pre-parser has several edge cases in its size-field decoding, cross-boundary reassembly, and append-split logic worth security investigation.
Subscribe to read more