summaryrefslogtreecommitdiff
path: root/gst/mpegdemux
diff options
context:
space:
mode:
authorJulien Isorce <julien.isorce@gmail.com>2011-12-12 14:54:00 +0100
committerSebastian Dröge <sebastian.droege@collabora.co.uk>2011-12-12 15:05:16 +0100
commite62978d045d57ee9fed7598c02b9017eb974ea36 (patch)
treec3e23045f58f135abc008f2c6bedc8f8d022f25d /gst/mpegdemux
parent63110cab94b56605e8df06b4295bf23544d5ed58 (diff)
downloadgstreamer-plugins-bad-e62978d045d57ee9fed7598c02b9017eb974ea36.tar.gz
mpegtsparse: check offset when retrieving table_id on malformed packets
Diffstat (limited to 'gst/mpegdemux')
-rw-r--r--gst/mpegdemux/mpegtsparse.c23
1 files changed, 17 insertions, 6 deletions
diff --git a/gst/mpegdemux/mpegtsparse.c b/gst/mpegdemux/mpegtsparse.c
index 8a33fc1ef..14372d37b 100644
--- a/gst/mpegdemux/mpegtsparse.c
+++ b/gst/mpegdemux/mpegtsparse.c
@@ -1,7 +1,7 @@
/*
- * mpegtsparse.c -
+ * mpegtsparse.c -
* Copyright (C) 2007 Alessandro Decina
- *
+ *
* Authors:
* Alessandro Decina <alessandro@nnva.org>
* Zaheer Abbas Merali <zaheerabbas at merali dot org>
@@ -222,11 +222,9 @@ mpegts_parse_base_init (gpointer klass)
{
GstElementClass *element_class = GST_ELEMENT_CLASS (klass);
- gst_element_class_add_static_pad_template (element_class,
- &sink_template);
+ gst_element_class_add_static_pad_template (element_class, &sink_template);
gst_element_class_add_static_pad_template (element_class, &src_template);
- gst_element_class_add_static_pad_template (element_class,
- &program_template);
+ gst_element_class_add_static_pad_template (element_class, &program_template);
gst_element_class_set_details_simple (element_class,
"MPEG transport stream parser", "Codec/Parser",
@@ -894,6 +892,19 @@ mpegts_parse_is_psi (MpegTSParse * parse, MpegTSPacketizerPacket * packet)
if (packet->payload_unit_start_indicator) {
data = packet->data;
pointer = *data++;
+ /* avoid out of range:
+ * packet->data is equal to GST_BUFFER_DATA (packet->buffer)
+ * so the data size is GST_BUFFER_SIZE (packet->buffer).
+ * 'pointer' is the offset (the next line is data += pointer)
+ * so we need to check that 'pointer' is not greater than the data size
+ * For example GST_BUFFER_SIZE (packet->buffer) is typically equal to 188
+ * So 'pointer' has to be strictly less than 188
+ */
+ if (!(pointer < GST_BUFFER_SIZE (packet->buffer))) {
+ GST_WARNING_OBJECT (parse,
+ "Wrong offset when retrieving table id: 0x%x", pointer);
+ return FALSE;
+ }
data += pointer;
table_id = *data;
i = 0;
View Lorry Controller Status