diff options
author | Julien Isorce <julien.isorce@gmail.com> | 2011-12-12 14:54:00 +0100 |
---|---|---|
committer | Sebastian Dröge <sebastian.droege@collabora.co.uk> | 2011-12-12 15:05:16 +0100 |
commit | e62978d045d57ee9fed7598c02b9017eb974ea36 (patch) | |
tree | c3e23045f58f135abc008f2c6bedc8f8d022f25d /gst/mpegdemux | |
parent | 63110cab94b56605e8df06b4295bf23544d5ed58 (diff) | |
download | gstreamer-plugins-bad-e62978d045d57ee9fed7598c02b9017eb974ea36.tar.gz |
mpegtsparse: check offset when retrieving table_id on malformed packets
Diffstat (limited to 'gst/mpegdemux')
-rw-r--r-- | gst/mpegdemux/mpegtsparse.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/gst/mpegdemux/mpegtsparse.c b/gst/mpegdemux/mpegtsparse.c index 8a33fc1ef..14372d37b 100644 --- a/gst/mpegdemux/mpegtsparse.c +++ b/gst/mpegdemux/mpegtsparse.c @@ -1,7 +1,7 @@ /* - * mpegtsparse.c - + * mpegtsparse.c - * Copyright (C) 2007 Alessandro Decina - * + * * Authors: * Alessandro Decina <alessandro@nnva.org> * Zaheer Abbas Merali <zaheerabbas at merali dot org> @@ -222,11 +222,9 @@ mpegts_parse_base_init (gpointer klass) { GstElementClass *element_class = GST_ELEMENT_CLASS (klass); - gst_element_class_add_static_pad_template (element_class, - &sink_template); + gst_element_class_add_static_pad_template (element_class, &sink_template); gst_element_class_add_static_pad_template (element_class, &src_template); - gst_element_class_add_static_pad_template (element_class, - &program_template); + gst_element_class_add_static_pad_template (element_class, &program_template); gst_element_class_set_details_simple (element_class, "MPEG transport stream parser", "Codec/Parser", @@ -894,6 +892,19 @@ mpegts_parse_is_psi (MpegTSParse * parse, MpegTSPacketizerPacket * packet) if (packet->payload_unit_start_indicator) { data = packet->data; pointer = *data++; + /* avoid out of range: + * packet->data is equal to GST_BUFFER_DATA (packet->buffer) + * so the data size is GST_BUFFER_SIZE (packet->buffer). + * 'pointer' is the offset (the next line is data += pointer) + * so we need to check that 'pointer' is not greater than the data size + * For example GST_BUFFER_SIZE (packet->buffer) is typically equal to 188 + * So 'pointer' has to be strictly less than 188 + */ + if (!(pointer < GST_BUFFER_SIZE (packet->buffer))) { + GST_WARNING_OBJECT (parse, + "Wrong offset when retrieving table id: 0x%x", pointer); + return FALSE; + } data += pointer; table_id = *data; i = 0; |