From 0d14819ef2a5abc368140c2750967888da245e5b Mon Sep 17 00:00:00 2001 From: Edward Hervey Date: Thu, 1 Feb 2018 10:40:28 +0100 Subject: [PATCH] oggdemux: Handle invalid-sized packets On invalid packets there is the possibility we might end up wanting to trim/offset more than what is available. oss-fuzz issue #5866 --- ext/ogg/gstoggdemux.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ext/ogg/gstoggdemux.c b/ext/ogg/gstoggdemux.c index fcb0337486..e600b3d6de 100644 --- a/ext/ogg/gstoggdemux.c +++ b/ext/ogg/gstoggdemux.c @@ -778,7 +778,9 @@ gst_ogg_demux_chain_peer (GstOggPad * pad, ogg_packet * packet, pad->prev_granule = pad->current_granule; } - if (pad->map.is_ogm_text) { + if (G_UNLIKELY (offset + trim > packet->bytes)) + goto invalid_packet; + else if (pad->map.is_ogm_text) { /* check for invalid buffer sizes */ if (G_UNLIKELY (offset + trim >= packet->bytes)) goto empty_packet; @@ -901,6 +903,12 @@ empty_packet: goto done; } +invalid_packet: + { + GST_DEBUG_OBJECT (ogg, "Skipping invalid packet"); + goto done; + } + no_timestamp: { GST_DEBUG_OBJECT (ogg, "skipping packet: no valid granule found yet");