2 files changed, 29 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 974db636..11b8f5b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2008-10-27  Sebastian Dröge  <sebastian.droege@collabora.co.uk>
 
+	* gst/flv/gstflvparse.c: (FLV_GET_STRING),
+	(gst_flv_parse_tag_audio), (gst_flv_parse_tag_video),
+	(gst_flv_parse_tag_type), (gst_flv_parse_header):
+	Properly check everywhere that we have enough data to parse and
+	don't read outside the allocated memory region. 
+
+2008-10-27  Sebastian Dröge  <sebastian.droege@collabora.co.uk>
+
 	* gst/flv/gstflvparse.c: (gst_flv_parse_tag_audio),
 	(gst_flv_parse_tag_video):
 	If the caps change during playback and negotiation fails error out
diff --git a/gst/flv/gstflvparse.c b/gst/flv/gstflvparse.c
index e7c4f144..8c52b4dd 100644
--- a/gst/flv/gstflvparse.c
+++ b/gst/flv/gstflvparse.c
@@ -48,7 +48,7 @@ FLV_GET_STRING (const guint8 * data, size_t data_size)
   g_return_val_if_fail (data_size >= 2, NULL);
 
   string_size = GST_READ_UINT16_BE (data);
-  if (G_UNLIKELY (string_size > data_size)) {
+  if (G_UNLIKELY (string_size > data_size - 2)) {
     return NULL;
   }
 
@@ -504,6 +504,8 @@ gst_flv_parse_tag_audio (GstFLVDemux * demux, const guint8 * data,
 
   GST_LOG_OBJECT (demux, "parsing an audio tag");
 
+  g_return_val_if_fail (data_size == demux->tag_size, GST_FLOW_ERROR);
+
   GST_LOG_OBJECT (demux, "pts bytes %02X %02X %02X %02X", data[0], data[1],
       data[2], data[3]);
 
@@ -513,6 +515,12 @@ gst_flv_parse_tag_audio (GstFLVDemux * demux, const guint8 * data,
   pts_ext = GST_READ_UINT8 (data + 3);
   /* Combine them */
   pts |= pts_ext << 24;
+
+  if (data_size < 12) {
+    GST_ERROR_OBJECT (demux, "Too small tag size");
+    return GST_FLOW_ERROR;
+  }
+
   /* Skip the stream id and go directly to the flags */
   flags = GST_READ_UINT8 (data + 7);
 
@@ -826,6 +834,8 @@ gst_flv_parse_tag_video (GstFLVDemux * demux, const guint8 * data,
   gboolean keyframe = FALSE;
   guint8 flags = 0, codec_tag = 0;
 
+  g_return_val_if_fail (data_size == demux->tag_size, GST_FLOW_ERROR);
+
   GST_LOG_OBJECT (demux, "parsing a video tag");
 
   GST_LOG_OBJECT (demux, "pts bytes %02X %02X %02X %02X", data[0], data[1],
@@ -837,6 +847,12 @@ gst_flv_parse_tag_video (GstFLVDemux * demux, const guint8 * data,
   pts_ext = GST_READ_UINT8 (data + 3);
   /* Combine them */
   pts |= pts_ext << 24;
+
+  if (data_size < 12) {
+    GST_ERROR_OBJECT (demux, "Too small tag size");
+    return GST_FLOW_ERROR;
+  }
+
   /* Skip the stream id and go directly to the flags */
   flags = GST_READ_UINT8 (data + 7);
 
@@ -1138,6 +1154,8 @@ gst_flv_parse_tag_type (GstFLVDemux * demux, const guint8 * data,
   GstFlowReturn ret = GST_FLOW_OK;
   guint8 tag_type = 0;
 
+  g_return_val_if_fail (data_size >= 4, GST_FLOW_ERROR);
+
   tag_type = data[0];
 
   switch (tag_type) {
@@ -1173,6 +1191,8 @@ gst_flv_parse_header (GstFLVDemux * demux, const guint8 * data,
 {
   GstFlowReturn ret = GST_FLOW_OK;
 
+  g_return_val_if_fail (data_size >= 9, GST_FLOW_ERROR);
+
   /* Check for the FLV tag */
   if (data[0] == 'F' && data[1] == 'L' && data[2] == 'V') {
     GST_DEBUG_OBJECT (demux, "FLV header detected");