h265parse: Ensure codec_data has the required size when reading number of NAL arrays

https://bugzilla.gnome.org/show_bug.cgi?id=774896
author: Sebastian Dröge <sebastian@centricular.com> 2016-11-23 10:52:05 +0200
committer: Sebastian Dröge <sebastian@centricular.com> 2016-11-23 10:53:46 +0200
commit: 43736e5c376b0d79680817a28349aaa300f14c0d (patch)
tree: c7f79bf32f8eeddf7bf09a91dc0e179f14fb9625 /gst/videoparsers
parent: 1dbfef93d6aca245f1793f9b5348a9dbcd02be97 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/gst/videoparsers/gsth265parse.c b/gst/videoparsers/gsth265parse.c
index 68fbe8d1b..84be1195c 100644
--- a/gst/videoparsers/gsth265parse.c
+++ b/gst/videoparsers/gsth265parse.c
@@ -2016,6 +2016,7 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
       (value = gst_structure_get_value (str, "codec_data"))) {
     GstMapInfo map;
     guint8 *data;
+    guint num_nal_arrays;
 
     GST_DEBUG_OBJECT (h265parse, "have packetized h265");
     /* make note for optional split processing */
@@ -2044,8 +2045,15 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
     GST_DEBUG_OBJECT (h265parse, "nal length size %u",
         h265parse->nal_length_size);
 
+    num_nal_arrays = data[22];
     off = 23;
-    for (i = 0; i < data[22]; i++) {
+
+    for (i = 0; i < num_nal_arrays; i++) {
+      if (off + 3 >= size) {
+        gst_buffer_unmap (codec_data, &map);
+        goto hvcc_too_small;
+      }
+
       num_nals = GST_READ_UINT16_BE (data + off + 1);
       off += 3;
       for (j = 0; j < num_nals; j++) {
author	Sebastian Dröge <sebastian@centricular.com>	2016-11-23 10:52:05 +0200
committer	Sebastian Dröge <sebastian@centricular.com>	2016-11-23 10:53:46 +0200
commit	43736e5c376b0d79680817a28349aaa300f14c0d (patch)
tree	c7f79bf32f8eeddf7bf09a91dc0e179f14fb9625 /gst/videoparsers
parent	1dbfef93d6aca245f1793f9b5348a9dbcd02be97 (diff)