diff options
| author | Sebastian Dröge <sebastian@centricular.com> | 2016-11-24 23:36:22 +0200 |
|---|---|---|
| committer | Sebastian Dröge <sebastian@centricular.com> | 2016-11-24 23:40:21 +0200 |
| commit | b5bb6e3b38587dc53027c4852db090653f3485dd (patch) | |
| tree | 2c78d140b280e60e7d4297841858e298d7c188db /gst/mxf/mxftypes.c | |
| parent | 2a66653bdca0d77b466313ef21d8129559069aa3 (diff) | |
| download | gstreamer-plugins-bad-b5bb6e3b38587dc53027c4852db090653f3485dd.tar.gz | |
mxfdemux: Add various missing bounds checks, NULL checks and integer overflow protection for error cases
Diffstat (limited to 'gst/mxf/mxftypes.c')
| -rw-r--r-- | gst/mxf/mxftypes.c | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/gst/mxf/mxftypes.c b/gst/mxf/mxftypes.c index 14e236292..4063fe041 100644 --- a/gst/mxf/mxftypes.c +++ b/gst/mxf/mxftypes.c @@ -351,7 +351,7 @@ mxf_uuid_array_parse (MXFUUID ** array, guint32 * count, const guint8 * data, return FALSE; } - if (16 * element_count < size) { + if (element_count > size / 16) { *array = NULL; *count = 0; return FALSE; @@ -1167,7 +1167,7 @@ mxf_index_table_segment_parse (const MXFUL * ul, tag_data += 4; tag_size -= 4; - if (tag_size < len * 6) + if (tag_size / 6 < len) goto error; segment->delta_entries = g_new (MXFDeltaEntry, len); @@ -1216,7 +1216,7 @@ mxf_index_table_segment_parse (const MXFUL * ul, tag_data += 4; tag_size -= 4; - if (tag_size < len * 11) + if (tag_size / 11 < len) goto error; segment->index_entries = g_new0 (MXFIndexEntry, len); @@ -1289,9 +1289,11 @@ mxf_index_table_segment_reset (MXFIndexTableSegment * segment) g_return_if_fail (segment != NULL); - for (i = 0; i < segment->n_index_entries; i++) { - g_free (segment->index_entries[i].slice_offset); - g_free (segment->index_entries[i].pos_table); + if (segment->index_entries) { + for (i = 0; i < segment->n_index_entries; i++) { + g_free (segment->index_entries[i].slice_offset); + g_free (segment->index_entries[i].pos_table); + } } g_free (segment->index_entries); @@ -1447,14 +1449,16 @@ mxf_primer_pack_parse (const MXFUL * ul, MXFPrimerPack * pack, n = GST_READ_UINT32_BE (data); data += 4; + size -= 4; GST_DEBUG (" number of mappings = %u", n); if (GST_READ_UINT32_BE (data) != 18) goto error; data += 4; + size -= 4; - if (size < 8 + n * 18) + if (size / 18 < n) goto error; for (i = 0; i < n; i++) { @@ -1618,10 +1622,13 @@ mxf_local_tag_parse (const guint8 * data, guint size, guint16 * tag, *tag = GST_READ_UINT16_BE (data); *tag_size = GST_READ_UINT16_BE (data + 2); - if (size < 4 + *tag_size) + data += 4; + size -= 4; + + if (size < *tag_size) return FALSE; - *tag_data = data + 4; + *tag_data = data; return TRUE; } |