Add buffer length checks to every typefinding function

Original commit message from CVS:
Add buffer length checks to every typefinding function

7 files changed, 28 insertions, 5 deletions

diff --git a/ext/audiofile/gstaftypes.c b/ext/audiofile/gstaftypes.c
index 8765f2b5..26832d76 100644
--- a/ext/audiofile/gstaftypes.c
+++ b/ext/audiofile/gstaftypes.c
@@ -58,7 +58,7 @@ gst_aftypes_type_find(GstBuffer *buf, gpointer private)
   int file_format, format_version;
   gchar *type;
 
-  g_print("calling gst_aftypes_type_find\n");
+  GST_DEBUG("calling gst_aftypes_type_find");
 
   buffer_wrap->buffer = buf;
   buffer_wrap->offset = 0;
@@ -76,7 +76,7 @@ gst_aftypes_type_find(GstBuffer *buf, gpointer private)
   file_format = afGetFileFormat (file, &format_version);
   afCloseFile (file);
 
-  g_print("file format: %d\n", file_format);
+  GST_DEBUG("file format: %d", file_format);
 
   /* reject raw data, just in case it is some other format */
   if (file_format == AF_FILE_UNKNOWN ||
diff --git a/ext/ivorbis/vorbis.c b/ext/ivorbis/vorbis.c
index 4a95c14e..65ef4b06 100644
--- a/ext/ivorbis/vorbis.c
+++ b/ext/ivorbis/vorbis.c
@@ -83,7 +83,12 @@ static GstTypeDefinition vorbisdefinition = {
 static GstCaps* 
 vorbis_type_find (GstBuffer *buf, gpointer private) 
 {
-  guint32 head = GUINT32_FROM_BE (*((guint32 *)GST_BUFFER_DATA (buf)));
+  guint32 head;
+    
+  if (GST_BUFFER_SIZE (buf) < 4)
+    return NULL;
+
+  head = GUINT32_FROM_BE (*((guint32 *)GST_BUFFER_DATA (buf)));
 
   if (head  != 0x4F676753)
     return NULL;
diff --git a/ext/swfdec/gstswfdec.c b/ext/swfdec/gstswfdec.c
index e56b9da1..a052fe7a 100644
--- a/ext/swfdec/gstswfdec.c
+++ b/ext/swfdec/gstswfdec.c
@@ -631,6 +631,9 @@ swf_type_find(GstBuffer *buf, gpointer private)
 {
 	gchar *data = GST_BUFFER_DATA(buf);
 
+	if (GST_BUFFER_SIZE (buf) < 4)
+	  return NULL;
+
 	if((data[0] != 'F' && data[0] != 'C') ||
 	    data[1] != 'W' || data[2] != 'S')return NULL;
 
diff --git a/ext/tarkin/gsttarkin.c b/ext/tarkin/gsttarkin.c
index 69fee01a..6e9abbc1 100644
--- a/ext/tarkin/gsttarkin.c
+++ b/ext/tarkin/gsttarkin.c
@@ -69,11 +69,16 @@ static GstTypeDefinition tarkindefinition =
 static GstCaps* 
 tarkin_type_find (GstBuffer *buf, gpointer private) 
 {
-  guint32 head = GUINT32_FROM_BE (*((guint32 *)GST_BUFFER_DATA (buf)));
+  guint32 head;
+
+  if (GST_BUFFER_SIZE (buf) < 4)
+    return NULL;
 
   /* FIXME */
   return NULL;
   
+  head = GUINT32_FROM_BE (*((guint32 *)GST_BUFFER_DATA (buf)));
+
   if (head  != 0x4F676753)
     return NULL;
 
diff --git a/gst/cdxaparse/gstcdxaparse.c b/gst/cdxaparse/gstcdxaparse.c
index 1c2141b2..5af9bd81 100644
--- a/gst/cdxaparse/gstcdxaparse.c
+++ b/gst/cdxaparse/gstcdxaparse.c
@@ -167,6 +167,9 @@ cdxa_type_find (GstBuffer *buf,
 
   GST_DEBUG ("cdxa_parse: typefind");
 
+  if (GST_BUFFER_SIZE (buf) < 12)
+    return NULL;
+
   if (GUINT32_FROM_LE (((guint32 *)data)[0]) != GST_RIFF_TAG_RIFF)
     return NULL;
   if (GUINT32_FROM_LE (((guint32 *)data)[2]) != GST_RIFF_RIFF_CDXA)
diff --git a/gst/festival/gstfestival.c b/gst/festival/gstfestival.c
index 7f40e3b0..87416184 100644
--- a/gst/festival/gstfestival.c
+++ b/gst/festival/gstfestival.c
@@ -203,8 +203,12 @@ text_type_find (GstBuffer *buf, gpointer private)
   gchar *data = GST_BUFFER_DATA (buf);
   gint i;
 
+  /* 20 is arbitrary.  4 is definitely too small. */
+  if (GST_BUFFER_SIZE (buf) < 20)
+    return NULL;
+
   for (i=0; i<GST_BUFFER_SIZE (buf); i++) {
-    if (!isprint(*(data+i)))
+    if (!isprint(data[i]) && data[i]!='\n')
       return NULL;
   }
 
diff --git a/gst/modplug/gstmodplug.cc b/gst/modplug/gstmodplug.cc
index 9270938b..2fa602f7 100644
--- a/gst/modplug/gstmodplug.cc
+++ b/gst/modplug/gstmodplug.cc
@@ -132,6 +132,9 @@ static GstElementClass *parent_class = NULL;
 static GstCaps* 
 modplug_type_find (GstBuffer *buf, gpointer priv) 
 {  
+  if (GST_BUFFER_SIZE (buf) < 75)
+    return NULL;
+
   if (MOD_CheckType (buf)     ||
       Mod_669_CheckType (buf) ||
       Amf_CheckType (buf)     ||