typefindfunctions: Make sure that enough data is available in AAC/ADTS typefinder

We would otherwise read beyond the array bounds and crash every now and then.
This was introduced with 5640ba17c8db80976b7718904e4024dcfe9ee1a0.

https://bugzilla.gnome.org/show_bug.cgi?id=759910

1 files changed, 4 insertions, 3 deletions

diff --git a/gst/typefind/gsttypefindfunctions.c b/gst/typefind/gsttypefindfunctions.c
index 2bedf18c4..4732c4e46 100644
--- a/gst/typefind/gsttypefindfunctions.c
+++ b/gst/typefind/gsttypefindfunctions.c
@@ -1050,7 +1050,7 @@ aac_type_find (GstTypeFind * tf, gpointer unused)
       len = ((c.data[3] & 0x03) << 11) |
           (c.data[4] << 3) | ((c.data[5] & 0xe0) >> 5);
 
-      if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) {
+      if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 6)) {
         GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len);
         goto next;
       }
@@ -1110,7 +1110,7 @@ aac_type_find (GstTypeFind * tf, gpointer unused)
         len = ((c.data[offset + 3] & 0x03) << 11) |
             (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5);
 
-        if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) {
+        if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, offset + len + 6)) {
           GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len);
           gst_type_find_suggest (tf, GST_TYPE_FIND_LIKELY, caps);
         } else {
@@ -1120,7 +1120,8 @@ aac_type_find (GstTypeFind * tf, gpointer unused)
           for (i = 3; i <= 6; i++) {
             len = ((c.data[offset + 3] & 0x03) << 11) |
                 (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5);
-            if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) {
+            if (len == 0
+                || !data_scan_ctx_ensure_data (tf, &c, offset + len + 6)) {
               GST_DEBUG ("Wrong sync or next frame not within reach, len=%u",
                   len);
               break;