summaryrefslogtreecommitdiff
path: root/gst
diff options
context:
space:
mode:
authorJan Schmidt <jan@centricular.com>2017-02-01 14:37:29 +1100
committerJan Schmidt <jan@centricular.com>2017-02-01 14:46:15 +1100
commitae98d3537be611de771d94cc48da218d9a8cb540 (patch)
tree17e1509397370aa0435afea2a3e7ee9229bbdc25 /gst
parent948b87bf1514de55ee96575d204140eeec3a80a8 (diff)
mpegdemux: Add extra length checks to TS scanning.
Add some missing size checks to the timestamp scanning fast path.
Diffstat (limited to 'gst')
-rw-r--r--gst/mpegdemux/gstmpegdemux.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/gst/mpegdemux/gstmpegdemux.c b/gst/mpegdemux/gstmpegdemux.c
index 755e8e6c1..990890892 100644
--- a/gst/mpegdemux/gstmpegdemux.c
+++ b/gst/mpegdemux/gstmpegdemux.c
@@ -2408,6 +2408,8 @@ gst_ps_demux_scan_ts (GstPsDemux * demux, const guint8 * data,
code = GST_READ_UINT32_BE (data);
if (G_LIKELY (code != ID_PS_PACK_START_CODE))
goto beach;
+ if (data + 12 > end)
+ goto beach;
/* skip start code */
data += 4;
scr1 = GST_READ_UINT32_BE (data);
@@ -2436,12 +2438,17 @@ gst_ps_demux_scan_ts (GstPsDemux * demux, const guint8 * data,
/* SCR has been converted into units of 90Khz ticks to make it comparable
to DTS/PTS, that also implies 1 tick rounding error */
data += 6;
+
+ if (data + 4 > end)
+ goto beach;
/* PMR:22 ! :2==11 ! reserved:5 ! stuffing_len:3 */
next32 = GST_READ_UINT32_BE (data);
if ((next32 & 0x00000300) != 0x00000300)
goto beach;
stuffing_bytes = (next32 & 0x07);
data += 4;
+ if (data + stuffing_bytes > end)
+ goto beach;
while (stuffing_bytes--) {
if (*data++ != 0xff)
goto beach;
@@ -2468,6 +2475,9 @@ gst_ps_demux_scan_ts (GstPsDemux * demux, const guint8 * data,
}
/* Possible optional System header here */
+ if (data + 8 > end)
+ goto beach;
+
code = GST_READ_UINT32_BE (data);
len = GST_READ_UINT16_BE (data + 4);
if (code == ID_PS_SYSTEM_HEADER_START_CODE) {