diff options
author | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2010-07-10 16:48:59 +0000 |
---|---|---|
committer | Uoti Urpala <uau@glyph.nonexistent.invalid> | 2010-11-02 04:14:43 +0200 |
commit | 29f20dc812f49e6b4648a9c045a35bbfa0f7a961 (patch) | |
tree | bbbcf4c4b8ea250d6b59d2173c711521f25b1670 | |
parent | 5c53ce6bae5575fc708798221dba9e856a8caa8f (diff) | |
download | mpv-29f20dc812f49e6b4648a9c045a35bbfa0f7a961.tar.bz2 mpv-29f20dc812f49e6b4648a9c045a35bbfa0f7a961.tar.xz |
demux_ts: add memory access checks
Add packet->len checks to avoid out-of-bounds reads and negative
es->size values.
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@31671 b3059339-0415-0410-9bf9-f77b7e298cf2
-rw-r--r-- | libmpdemux/demux_ts.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/libmpdemux/demux_ts.c b/libmpdemux/demux_ts.c index 31c2c534d1..46a2853207 100644 --- a/libmpdemux/demux_ts.c +++ b/libmpdemux/demux_ts.c @@ -1483,7 +1483,7 @@ static int pes_parse2(unsigned char *buf, uint16_t packet_len, ES_stream_t *es, if( (type_from_pmt == AUDIO_A52) || /* A52 - raw */ - (p[0] == 0x0B && p[1] == 0x77) /* A52 - syncword */ + (packet_len >= 2 && p[0] == 0x0B && p[1] == 0x77) /* A52 - syncword */ ) { mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 RAW OR SYNCWORD\n"); @@ -1496,7 +1496,7 @@ static int pes_parse2(unsigned char *buf, uint16_t packet_len, ES_stream_t *es, } /* SPU SUBS */ else if(type_from_pmt == SPU_DVB || - ((p[0] == 0x20) && pes_is_aligned)) // && p[1] == 0x00)) + (packet_len >= 1 && (p[0] == 0x20) && pes_is_aligned)) // && p[1] == 0x00)) { es->start = p; es->size = packet_len; @@ -1505,7 +1505,7 @@ static int pes_parse2(unsigned char *buf, uint16_t packet_len, ES_stream_t *es, return 1; } - else if (pes_is_aligned && ((p[0] & 0xE0) == 0x20)) //SPU_DVD + else if (pes_is_aligned && packet_len >= 1 && ((p[0] & 0xE0) == 0x20)) //SPU_DVD { //DVD SUBS es->start = p+1; @@ -1515,7 +1515,7 @@ static int pes_parse2(unsigned char *buf, uint16_t packet_len, ES_stream_t *es, return 1; } - else if (pes_is_aligned && (p[0] & 0xF8) == 0x80) + else if (pes_is_aligned && packet_len >= 4 && (p[0] & 0xF8) == 0x80) { mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 WITH HEADER\n"); es->start = p+4; @@ -1525,7 +1525,7 @@ static int pes_parse2(unsigned char *buf, uint16_t packet_len, ES_stream_t *es, return 1; } - else if (pes_is_aligned && ((p[0]&0xf0) == 0xa0)) + else if (pes_is_aligned && packet_len >= 1 && ((p[0]&0xf0) == 0xa0)) { int pcm_offset; |