diff options
author | Jan Schmidt <jan@centricular.com> | 2017-02-01 14:37:29 +1100 |
---|---|---|
committer | Jan Schmidt <jan@centricular.com> | 2017-02-01 14:46:15 +1100 |
commit | ae98d3537be611de771d94cc48da218d9a8cb540 (patch) | |
tree | 17e1509397370aa0435afea2a3e7ee9229bbdc25 /gst | |
parent | 948b87bf1514de55ee96575d204140eeec3a80a8 (diff) |
mpegdemux: Add extra length checks to TS scanning.
Add some missing size checks to the timestamp scanning
fast path.
Diffstat (limited to 'gst')
-rw-r--r-- | gst/mpegdemux/gstmpegdemux.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/gst/mpegdemux/gstmpegdemux.c b/gst/mpegdemux/gstmpegdemux.c index 755e8e6c1..990890892 100644 --- a/gst/mpegdemux/gstmpegdemux.c +++ b/gst/mpegdemux/gstmpegdemux.c @@ -2408,6 +2408,8 @@ gst_ps_demux_scan_ts (GstPsDemux * demux, const guint8 * data, code = GST_READ_UINT32_BE (data); if (G_LIKELY (code != ID_PS_PACK_START_CODE)) goto beach; + if (data + 12 > end) + goto beach; /* skip start code */ data += 4; scr1 = GST_READ_UINT32_BE (data); @@ -2436,12 +2438,17 @@ gst_ps_demux_scan_ts (GstPsDemux * demux, const guint8 * data, /* SCR has been converted into units of 90Khz ticks to make it comparable to DTS/PTS, that also implies 1 tick rounding error */ data += 6; + + if (data + 4 > end) + goto beach; /* PMR:22 ! :2==11 ! reserved:5 ! stuffing_len:3 */ next32 = GST_READ_UINT32_BE (data); if ((next32 & 0x00000300) != 0x00000300) goto beach; stuffing_bytes = (next32 & 0x07); data += 4; + if (data + stuffing_bytes > end) + goto beach; while (stuffing_bytes--) { if (*data++ != 0xff) goto beach; @@ -2468,6 +2475,9 @@ gst_ps_demux_scan_ts (GstPsDemux * demux, const guint8 * data, } /* Possible optional System header here */ + if (data + 8 > end) + goto beach; + code = GST_READ_UINT32_BE (data); len = GST_READ_UINT16_BE (data + 4); if (code == ID_PS_SYSTEM_HEADER_START_CODE) { |