From 5e7d31c341ba296fa8485569f272638735f5b0b9 Mon Sep 17 00:00:00 2001 From: Edward Hervey Date: Sat, 4 Nov 2017 11:28:47 +0100 Subject: oggdemux: Protect against invalid granule positions Only valid values are -1, 0 or positive values. Anything else is most likely corrupted data streams --- ext/ogg/gstoggdemux.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ext/ogg/gstoggdemux.c b/ext/ogg/gstoggdemux.c index 12b67c691..384757a89 100644 --- a/ext/ogg/gstoggdemux.c +++ b/ext/ogg/gstoggdemux.c @@ -662,7 +662,7 @@ gst_ogg_demux_chain_peer (GstOggPad * pad, ogg_packet * packet, out_offset = 0; out_offset_end = -1; } else { - if (packet->granulepos != -1) { + if (packet->granulepos > -1) { gint64 granule = gst_ogg_stream_granulepos_to_granule (&pad->map, packet->granulepos); if (granule < 0) { @@ -1271,6 +1271,15 @@ gst_ogg_pad_stream_out (GstOggPad * pad, gint npackets) break; case 1: GST_LOG_OBJECT (ogg, "packetout gave packet of size %ld", packet.bytes); + + if (packet.granulepos < -1) { + GST_WARNING_OBJECT (ogg, + "Invalid granulepos (%" G_GINT64_FORMAT "), resetting stream", + packet.granulepos); + gst_ogg_pad_reset (pad); + break; + } + if (packet.bytes > ogg->max_packet_size) ogg->max_packet_size = packet.bytes; result = gst_ogg_pad_submit_packet (pad, &packet); -- cgit v1.2.1