From f21ea162ad3047d38d6e678aded23449c48f9f21 Mon Sep 17 00:00:00 2001
From: Julien Isorce <julien.isorce@gmail.com>
Date: Mon, 12 Dec 2011 15:52:20 +0100
Subject: [PATCH] mpegtsparse: check offset when retrieving table_id on
 malformed packets

Fix bug #665988
---
 gst/mpegdemux/mpegtsparse.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gst/mpegdemux/mpegtsparse.c b/gst/mpegdemux/mpegtsparse.c
index 8a33fc1efe..164321ec4e 100644
--- a/gst/mpegdemux/mpegtsparse.c
+++ b/gst/mpegdemux/mpegtsparse.c
@@ -895,6 +895,14 @@ mpegts_parse_is_psi (MpegTSParse * parse, MpegTSPacketizerPacket * packet)
       data = packet->data;
       pointer = *data++;
       data += pointer;
+      /* 'pointer' value may be invalid on malformed packet
+       * so we need to avoid out of range
+       */
+      if (!(data < packet->data_end)) {
+        GST_WARNING_OBJECT (parse,
+            "Wrong offset when retrieving table id: 0x%x", pointer);
+        return FALSE;
+      }
       table_id = *data;
       i = 0;
       while (si_tables[i] != TABLE_ID_UNSET) {