From 0416f121f240d14e4411ab2ad808e544fcc7fdd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Mon, 28 Dec 2015 12:28:26 +0200 Subject: [PATCH] typefindfunctions: Make sure that enough data is available in AAC/ADTS typefinder We would otherwise read beyond the array bounds and crash every now and then. This was introduced with 5640ba17c8db80976b7718904e4024dcfe9ee1a0. https://bugzilla.gnome.org/show_bug.cgi?id=759910 --- gst/typefind/gsttypefindfunctions.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/gst/typefind/gsttypefindfunctions.c b/gst/typefind/gsttypefindfunctions.c index 29f51c7321..3ca3bcae08 100644 --- a/gst/typefind/gsttypefindfunctions.c +++ b/gst/typefind/gsttypefindfunctions.c @@ -1050,7 +1050,7 @@ aac_type_find (GstTypeFind * tf, gpointer unused) len = ((c.data[3] & 0x03) << 11) | (c.data[4] << 3) | ((c.data[5] & 0xe0) >> 5); - if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) { + if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 6)) { GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len); goto next; } @@ -1110,7 +1110,7 @@ aac_type_find (GstTypeFind * tf, gpointer unused) len = ((c.data[offset + 3] & 0x03) << 11) | (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5); - if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) { + if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, offset + len + 6)) { GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len); gst_type_find_suggest (tf, GST_TYPE_FIND_LIKELY, caps); } else { @@ -1120,7 +1120,8 @@ aac_type_find (GstTypeFind * tf, gpointer unused) for (i = 3; i <= 6; i++) { len = ((c.data[offset + 3] & 0x03) << 11) | (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5); - if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) { + if (len == 0 + || !data_scan_ctx_ensure_data (tf, &c, offset + len + 6)) { GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len); break;