Sophie

Sophie

distrib > Mageia > 5 > x86_64 > by-pkgid > 852805f17b08a7a953f5f763451872ce > files > 5

gstreamer0.10-plugins-bad-0.10.23-22.2.mga5.tainted.src.rpm

From ae98d3537be611de771d94cc48da218d9a8cb540 Mon Sep 17 00:00:00 2001
From: Jan Schmidt <jan@centricular.com>
Date: Wed, 1 Feb 2017 14:37:29 +1100
Subject: mpegdemux: Add extra length checks to TS scanning.

Add some missing size checks to the timestamp scanning
fast path.

--- a/gst/mpegdemux/gstmpegdemux.c
+++ b/gst/mpegdemux/gstmpegdemux.c
@@ -2226,7 +2226,7 @@
 
 static inline gboolean
 gst_flups_demux_scan_ts (GstFluPSDemux * demux, const guint8 * data,
-    SCAN_MODE mode, guint64 * rts)
+    SCAN_MODE mode, guint64 * rts, const guint8 * end)
 {
   gboolean ret = FALSE;
   guint32 scr1, scr2;
@@ -2238,7 +2238,8 @@
   code = GST_READ_UINT32_BE (data);
   if (G_LIKELY (code != ID_PS_PACK_START_CODE))
     goto beach;
-
+  if (data + 12 > end)
+    goto beach;
   /* skip start code */
   data += 4;
 
@@ -2274,6 +2275,9 @@
     /* SCR has been converted into units of 90Khz ticks to make it comparable
        to DTS/PTS, that also implies 1 tick rounding error */
     data += 6;
+
+    if (data + 4 > end)
+      goto beach;
     /* PMR:22 ! :2==11 ! reserved:5 ! stuffing_len:3 */
     next32 = GST_READ_UINT32_BE (data);
     if ((next32 & 0x00000300) != 0x00000300)
@@ -2281,6 +2285,8 @@
 
     stuffing_bytes = (next32 & 0x07);
     data += 4;
+    if (data + stuffing_bytes > end)
+      goto beach;
     while (stuffing_bytes--) {
       if (*data++ != 0xff)
         goto beach;
@@ -2306,6 +2312,9 @@
     ret = TRUE;
   }
 
+  if (data + 8 > end)
+    goto beach;
+
   /* read the 4 bytes for the PES sync code */
   code = GST_READ_UINT32_BE (data);
   if (!gst_flups_demux_is_pes_sync (code))
@@ -2436,7 +2445,8 @@
     end_scan = GST_BUFFER_SIZE (buffer) - scan_sz;
     /* scan the block */
     for (cursor = 0; !found && cursor <= end_scan; cursor++) {
-      found = gst_flups_demux_scan_ts (demux, data++, mode, &ts);
+      found = gst_flups_demux_scan_ts (demux, data++, mode, &ts,
+          GST_BUFFER_DATA (buffer) + GST_BUFFER_SIZE (buffer));
     }
 
     /* done with the buffer, unref it */
@@ -2486,7 +2496,8 @@
     data = GST_BUFFER_DATA (buffer) + start_scan;
     /* scan the block */
     for (cursor = (start_scan + 1); !found && cursor > 0; cursor--) {
-      found = gst_flups_demux_scan_ts (demux, data--, mode, &ts);
+      found = gst_flups_demux_scan_ts (demux, data--, mode, &ts,
+          GST_BUFFER_DATA (buffer) + GST_BUFFER_SIZE (buffer));
     }
 
     /* done with the buffer, unref it */

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional