dvdspu: Make sure enough data is allocated for the available data

If the size read from the stream is smaller than the currently available data then the size is bogus and the data should simply be discarded. Fixes ZDI-CAN-20994 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4902>
author: Sebastian Dröge <sebastian@centricular.com> 2023-06-13 14:23:47 +0300
committer: GStreamer Marge Bot <gitlab-merge-bot@gstreamer-foundation.org> 2023-06-21 00:14:38 +0000
commit: ef83d981d10a44bd09eed0ad7faa6644fd704418 (patch)
tree: 99f4da436c63c3c5c832783b23f1611b5b0dc477
parent: 09cb143afaf2f35efd41ccf91311002eaf9706b4 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
index 6108de07c2..391bb630f5 100644
--- a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
+++ b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
     obj->rle_data_size = GST_READ_UINT24_BE (payload);
     payload += 3;
 
+    if (end - payload > obj->rle_data_size)
+      return 0;
+
     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
         (int) (end - payload), obj->rle_data_size);
author	Sebastian Dröge <sebastian@centricular.com>	2023-06-13 14:23:47 +0300
committer	GStreamer Marge Bot <gitlab-merge-bot@gstreamer-foundation.org>	2023-06-21 00:14:38 +0000
commit	ef83d981d10a44bd09eed0ad7faa6644fd704418 (patch)
tree	99f4da436c63c3c5c832783b23f1611b5b0dc477
parent	09cb143afaf2f35efd41ccf91311002eaf9706b4 (diff)