FaSTTUBe/GST-Tensordecoder-ov_ep
37
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

tsdemux: fix buffer overflow

Browse Source 
This can happen with a corrupt TS file, found with breakmydata element
plugged before tsdemux.

https://bugzilla.gnome.org/show_bug.cgi?id=708161
This commit is contained in:
Arnaud Vrac 2013-09-16 11:42:48 +02:00 committed by Sebastian Dröge
parent 6b6ecd0942
commit 85ad4f3ad6
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
gst/mpegtsdemux/tsdemux.c
View File

@ -1293,9 +1293,10 @@ gst_ts_demux_parse_pes_header (GstTSDemux * demux, TSDemuxStream * stream,
/* Create the output buffer */ /* Create the output buffer */
if (stream->expected_size) if (stream->expected_size)
stream->allocated_size = stream->expected_size; stream->allocated_size = MAX (stream->expected_size, length);
else else
stream->allocated_size = 8192; stream->allocated_size = MAX (8192, length);
g_assert (stream->data == NULL); g_assert (stream->data == NULL);
stream->data = g_malloc (stream->allocated_size); stream->data = g_malloc (stream->allocated_size);
memcpy (stream->data, data, length); memcpy (stream->data, data, length);
@ -1363,7 +1364,9 @@ gst_ts_demux_queue_data (GstTSDemux * demux, TSDemuxStream * stream,
GST_LOG ("BUFFER: appending data"); GST_LOG ("BUFFER: appending data");
if (G_UNLIKELY (stream->current_size + size > stream->allocated_size)) { if (G_UNLIKELY (stream->current_size + size > stream->allocated_size)) {
GST_LOG ("resizing buffer"); GST_LOG ("resizing buffer");
stream->allocated_size = stream->allocated_size * 2; do {
stream->allocated_size *= 2;
} while (stream->current_size + size > stream->allocated_size);
stream->data = g_realloc (stream->data, stream->allocated_size); stream->data = g_realloc (stream->data, stream->allocated_size);
} }
memcpy (stream->data + stream->current_size, data, size); memcpy (stream->data + stream->current_size, data, size);