From 43736e5c376b0d79680817a28349aaa300f14c0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Wed, 23 Nov 2016 10:52:05 +0200 Subject: [PATCH] h265parse: Ensure codec_data has the required size when reading number of NAL arrays https://bugzilla.gnome.org/show_bug.cgi?id=774896 --- gst/videoparsers/gsth265parse.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) Index: gst-plugins-bad1.0-1.4.4/gst/videoparsers/gsth265parse.c =================================================================== --- gst-plugins-bad1.0-1.4.4.orig/gst/videoparsers/gsth265parse.c +++ gst-plugins-bad1.0-1.4.4/gst/videoparsers/gsth265parse.c @@ -1767,6 +1767,7 @@ gst_h265_parse_set_caps (GstBaseParse * (value = gst_structure_get_value (str, "codec_data"))) { GstMapInfo map; guint8 *data; + guint num_nal_arrays; GST_DEBUG_OBJECT (h265parse, "have packetized h265"); /* make note for optional split processing */ @@ -1795,8 +1796,15 @@ gst_h265_parse_set_caps (GstBaseParse * GST_DEBUG_OBJECT (h265parse, "nal length size %u", h265parse->nal_length_size); + num_nal_arrays = data[22]; off = 23; - for (i = 0; i < data[22]; i++) { + + for (i = 0; i < num_nal_arrays; i++) { + if (off + 3 >= size) { + gst_buffer_unmap (codec_data, &map); + goto hvcc_too_small; + } + num_nals = GST_READ_UINT16_BE (data + off + 1); for (j = 0; j < num_nals; j++) { parseres = gst_h265_parser_identify_nalu_hevc (h265parse->nalparser,