diff options
| author | Edward Hervey <edward@centricular.com> | 2018-02-01 10:40:28 +0100 |
|---|---|---|
| committer | Edward Hervey <bilboed@bilboed.com> | 2018-02-01 10:51:21 +0100 |
| commit | 0d14819ef2a5abc368140c2750967888da245e5b (patch) | |
| tree | 9d28acae8769ccae191eeafbc3a47a9b0ee4b6fa | |
| parent | dbae19773add26d7db502f25a12eb0050763fbe4 (diff) | |
oggdemux: Handle invalid-sized packets
On invalid packets there is the possibility we might end up wanting
to trim/offset more than what is available.
oss-fuzz issue #5866
| -rw-r--r-- | ext/ogg/gstoggdemux.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/ext/ogg/gstoggdemux.c b/ext/ogg/gstoggdemux.c index fcb033748..e600b3d6d 100644 --- a/ext/ogg/gstoggdemux.c +++ b/ext/ogg/gstoggdemux.c @@ -778,7 +778,9 @@ gst_ogg_demux_chain_peer (GstOggPad * pad, ogg_packet * packet, pad->prev_granule = pad->current_granule; } - if (pad->map.is_ogm_text) { + if (G_UNLIKELY (offset + trim > packet->bytes)) + goto invalid_packet; + else if (pad->map.is_ogm_text) { /* check for invalid buffer sizes */ if (G_UNLIKELY (offset + trim >= packet->bytes)) goto empty_packet; @@ -901,6 +903,12 @@ empty_packet: goto done; } +invalid_packet: + { + GST_DEBUG_OBJECT (ogg, "Skipping invalid packet"); + goto done; + } + no_timestamp: { GST_DEBUG_OBJECT (ogg, "skipping packet: no valid granule found yet"); |