From 43736e5c376b0d79680817a28349aaa300f14c0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 23 Nov 2016 10:52:05 +0200
Subject: [PATCH] h265parse: Ensure codec_data has the required size when
 reading number of NAL arrays

https://bugzilla.gnome.org/show_bug.cgi?id=774896
---
 gst/videoparsers/gsth265parse.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Index: gst-plugins-bad1.0-1.4.4/gst/videoparsers/gsth265parse.c
===================================================================
--- gst-plugins-bad1.0-1.4.4.orig/gst/videoparsers/gsth265parse.c
+++ gst-plugins-bad1.0-1.4.4/gst/videoparsers/gsth265parse.c
@@ -1767,6 +1767,7 @@ gst_h265_parse_set_caps (GstBaseParse *
       (value = gst_structure_get_value (str, "codec_data"))) {
     GstMapInfo map;
     guint8 *data;
+    guint num_nal_arrays;
 
     GST_DEBUG_OBJECT (h265parse, "have packetized h265");
     /* make note for optional split processing */
@@ -1795,8 +1796,15 @@ gst_h265_parse_set_caps (GstBaseParse *
     GST_DEBUG_OBJECT (h265parse, "nal length size %u",
         h265parse->nal_length_size);
 
+    num_nal_arrays = data[22];
     off = 23;
-    for (i = 0; i < data[22]; i++) {
+
+    for (i = 0; i < num_nal_arrays; i++) {
+      if (off + 3 >= size) {
+        gst_buffer_unmap (codec_data, &map);
+        goto hvcc_too_small;
+      }
+
       num_nals = GST_READ_UINT16_BE (data + off + 1);
       for (j = 0; j < num_nals; j++) {
         parseres = gst_h265_parser_identify_nalu_hevc (h265parse->nalparser,