Mercurial > mplayer.hg
comparison libmpdemux/demux_ts.c @ 31605:21ac1f3cfb7f
Add packet->len checks to avoid out-of-bounds reads and negative
es->size values.
| author | reimar |
|---|---|
| date | Sat, 10 Jul 2010 16:48:59 +0000 |
| parents | 2b455d7357cc |
| children | cd81fce1f010 |
comparison
equal
deleted
inserted
replaced
| 31604:a513b4166abd | 31605:21ac1f3cfb7f |
|---|---|
| 1482 */ | 1482 */ |
| 1483 | 1483 |
| 1484 | 1484 |
| 1485 if( | 1485 if( |
| 1486 (type_from_pmt == AUDIO_A52) || /* A52 - raw */ | 1486 (type_from_pmt == AUDIO_A52) || /* A52 - raw */ |
| 1487 (p[0] == 0x0B && p[1] == 0x77) /* A52 - syncword */ | 1487 (packet_len >= 2 && p[0] == 0x0B && p[1] == 0x77) /* A52 - syncword */ |
| 1488 ) | 1488 ) |
| 1489 { | 1489 { |
| 1490 mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 RAW OR SYNCWORD\n"); | 1490 mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 RAW OR SYNCWORD\n"); |
| 1491 es->start = p; | 1491 es->start = p; |
| 1492 es->size = packet_len; | 1492 es->size = packet_len; |
| 1495 | 1495 |
| 1496 return 1; | 1496 return 1; |
| 1497 } | 1497 } |
| 1498 /* SPU SUBS */ | 1498 /* SPU SUBS */ |
| 1499 else if(type_from_pmt == SPU_DVB || | 1499 else if(type_from_pmt == SPU_DVB || |
| 1500 ((p[0] == 0x20) && pes_is_aligned)) // && p[1] == 0x00)) | 1500 (packet_len >= 1 && (p[0] == 0x20) && pes_is_aligned)) // && p[1] == 0x00)) |
| 1501 { | 1501 { |
| 1502 es->start = p; | 1502 es->start = p; |
| 1503 es->size = packet_len; | 1503 es->size = packet_len; |
| 1504 es->type = SPU_DVB; | 1504 es->type = SPU_DVB; |
| 1505 es->payload_size -= packet_len; | 1505 es->payload_size -= packet_len; |
| 1506 | 1506 |
| 1507 return 1; | 1507 return 1; |
| 1508 } | 1508 } |
| 1509 else if (pes_is_aligned && ((p[0] & 0xE0) == 0x20)) //SPU_DVD | 1509 else if (pes_is_aligned && packet_len >= 1 && ((p[0] & 0xE0) == 0x20)) //SPU_DVD |
| 1510 { | 1510 { |
| 1511 //DVD SUBS | 1511 //DVD SUBS |
| 1512 es->start = p+1; | 1512 es->start = p+1; |
| 1513 es->size = packet_len-1; | 1513 es->size = packet_len-1; |
| 1514 es->type = SPU_DVD; | 1514 es->type = SPU_DVD; |
| 1515 es->payload_size -= packet_len; | 1515 es->payload_size -= packet_len; |
| 1516 | 1516 |
| 1517 return 1; | 1517 return 1; |
| 1518 } | 1518 } |
| 1519 else if (pes_is_aligned && (p[0] & 0xF8) == 0x80) | 1519 else if (pes_is_aligned && packet_len >= 4 && (p[0] & 0xF8) == 0x80) |
| 1520 { | 1520 { |
| 1521 mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 WITH HEADER\n"); | 1521 mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 WITH HEADER\n"); |
| 1522 es->start = p+4; | 1522 es->start = p+4; |
| 1523 es->size = packet_len - 4; | 1523 es->size = packet_len - 4; |
| 1524 es->type = AUDIO_A52; | 1524 es->type = AUDIO_A52; |
| 1525 es->payload_size -= packet_len; | 1525 es->payload_size -= packet_len; |
| 1526 | 1526 |
| 1527 return 1; | 1527 return 1; |
| 1528 } | 1528 } |
| 1529 else if (pes_is_aligned && ((p[0]&0xf0) == 0xa0)) | 1529 else if (pes_is_aligned && packet_len >= 1 && ((p[0]&0xf0) == 0xa0)) |
| 1530 { | 1530 { |
| 1531 int pcm_offset; | 1531 int pcm_offset; |
| 1532 | 1532 |
| 1533 for (pcm_offset=0; ++pcm_offset < packet_len-1 ; ) | 1533 for (pcm_offset=0; ++pcm_offset < packet_len-1 ; ) |
| 1534 { | 1534 { |