From 5c53ce6bae5575fc708798221dba9e856a8caa8f Mon Sep 17 00:00:00 2001
From: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Sat, 10 Jul 2010 16:43:00 +0000
Subject: demux_ts: fix crash on broken packets

Check packet size before memmove to avoid crashes e.g. if we recognized the
wrong type and subtracted more header bytes than there are overall bytes.

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@31669 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/demux_ts.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libmpdemux')

diff --git a/libmpdemux/demux_ts.c b/libmpdemux/demux_ts.c
index 2daa7fd50b..31c2c534d1 100644
--- a/libmpdemux/demux_ts.c
+++ b/libmpdemux/demux_ts.c
@@ -3151,6 +3151,10 @@ static int ts_parse(demuxer_t *demuxer , ES_stream_t *es, unsigned char *packet,
 
 				demuxer->filepos = stream_tell(demuxer->stream) - es->size;
 
+				if(es->size < 0 || es->size > buf_size) {
+					mp_msg(MSGT_DEMUX, MSGL_ERR, "Broken ES packet size\n");
+					es->size = 0;
+				}
 				memmove(p, es->start, es->size);
 				*dp_offset += es->size;
 				(*dp)->flags = 0;
-- 
cgit v1.2.3