diff options
| author | Sebastian Dröge <slomo@circular-chaos.org> | 2008-10-27 09:37:21 +0000 |
|---|---|---|
| committer | Sebastian Dröge <slomo@circular-chaos.org> | 2008-10-27 09:37:21 +0000 |
| commit | 9f2ab85a37a62f863c853cf1996cc99801dd2546 (patch) | |
| tree | ebb543763e6eac5a09d66ab926e009d97fadf927 /gst | |
| parent | 881490ded687a2712f7617dba3ccc1d9fd38b47b (diff) | |
| download | gst-plugins-bad-9f2ab85a37a62f863c853cf1996cc99801dd2546.tar.gz gst-plugins-bad-9f2ab85a37a62f863c853cf1996cc99801dd2546.tar.bz2 gst-plugins-bad-9f2ab85a37a62f863c853cf1996cc99801dd2546.zip | |
gst/flv/gstflvparse.c: Properly check everywhere that we have enough data to parse and don't read outside the allocat...
Original commit message from CVS:
* gst/flv/gstflvparse.c: (FLV_GET_STRING),
(gst_flv_parse_tag_audio), (gst_flv_parse_tag_video),
(gst_flv_parse_tag_type), (gst_flv_parse_header):
Properly check everywhere that we have enough data to parse and
don't read outside the allocated memory region.
Diffstat (limited to 'gst')
| -rw-r--r-- | gst/flv/gstflvparse.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/gst/flv/gstflvparse.c b/gst/flv/gstflvparse.c index e7c4f144..8c52b4dd 100644 --- a/gst/flv/gstflvparse.c +++ b/gst/flv/gstflvparse.c @@ -48,7 +48,7 @@ FLV_GET_STRING (const guint8 * data, size_t data_size) g_return_val_if_fail (data_size >= 2, NULL); string_size = GST_READ_UINT16_BE (data); - if (G_UNLIKELY (string_size > data_size)) { + if (G_UNLIKELY (string_size > data_size - 2)) { return NULL; } @@ -504,6 +504,8 @@ gst_flv_parse_tag_audio (GstFLVDemux * demux, const guint8 * data, GST_LOG_OBJECT (demux, "parsing an audio tag"); + g_return_val_if_fail (data_size == demux->tag_size, GST_FLOW_ERROR); + GST_LOG_OBJECT (demux, "pts bytes %02X %02X %02X %02X", data[0], data[1], data[2], data[3]); @@ -513,6 +515,12 @@ gst_flv_parse_tag_audio (GstFLVDemux * demux, const guint8 * data, pts_ext = GST_READ_UINT8 (data + 3); /* Combine them */ pts |= pts_ext << 24; + + if (data_size < 12) { + GST_ERROR_OBJECT (demux, "Too small tag size"); + return GST_FLOW_ERROR; + } + /* Skip the stream id and go directly to the flags */ flags = GST_READ_UINT8 (data + 7); @@ -826,6 +834,8 @@ gst_flv_parse_tag_video (GstFLVDemux * demux, const guint8 * data, gboolean keyframe = FALSE; guint8 flags = 0, codec_tag = 0; + g_return_val_if_fail (data_size == demux->tag_size, GST_FLOW_ERROR); + GST_LOG_OBJECT (demux, "parsing a video tag"); GST_LOG_OBJECT (demux, "pts bytes %02X %02X %02X %02X", data[0], data[1], @@ -837,6 +847,12 @@ gst_flv_parse_tag_video (GstFLVDemux * demux, const guint8 * data, pts_ext = GST_READ_UINT8 (data + 3); /* Combine them */ pts |= pts_ext << 24; + + if (data_size < 12) { + GST_ERROR_OBJECT (demux, "Too small tag size"); + return GST_FLOW_ERROR; + } + /* Skip the stream id and go directly to the flags */ flags = GST_READ_UINT8 (data + 7); @@ -1138,6 +1154,8 @@ gst_flv_parse_tag_type (GstFLVDemux * demux, const guint8 * data, GstFlowReturn ret = GST_FLOW_OK; guint8 tag_type = 0; + g_return_val_if_fail (data_size >= 4, GST_FLOW_ERROR); + tag_type = data[0]; switch (tag_type) { @@ -1173,6 +1191,8 @@ gst_flv_parse_header (GstFLVDemux * demux, const guint8 * data, { GstFlowReturn ret = GST_FLOW_OK; + g_return_val_if_fail (data_size >= 9, GST_FLOW_ERROR); + /* Check for the FLV tag */ if (data[0] == 'F' && data[1] == 'L' && data[2] == 'V') { GST_DEBUG_OBJECT (demux, "FLV header detected"); |