mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-12-19 23:06:49 +00:00
Code Issues 1 Projects Releases Wiki Activity

typefindfunctions: Make sure that enough data is available in AAC/ADTS typefinder

Browse source 
We would otherwise read beyond the array bounds and crash every now and then.
This was introduced with 5640ba17c8.

https://bugzilla.gnome.org/show_bug.cgi?id=759910
This commit is contained in:
Sebastian Dröge 2015-12-28 12:28:26 +02:00
parent 267e7ba1d9
commit 0416f121f2
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
gst/typefind/gsttypefindfunctions.c
View file

@ -1050,7 +1050,7 @@ aac_type_find (GstTypeFind * tf, gpointer unused)
len = ((c.data[3] & 0x03) << 11) | len = ((c.data[3] & 0x03) << 11) |
(c.data[4] << 3) | ((c.data[5] & 0xe0) >> 5); (c.data[4] << 3) | ((c.data[5] & 0xe0) >> 5);
if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) { if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 6)) {
GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len); GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len);
goto next; goto next;
} }
@ -1110,7 +1110,7 @@ aac_type_find (GstTypeFind * tf, gpointer unused)
len = ((c.data[offset + 3] & 0x03) << 11) | len = ((c.data[offset + 3] & 0x03) << 11) |
(c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5); (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5);
if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) { if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, offset + len + 6)) {
GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len); GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", len);
gst_type_find_suggest (tf, GST_TYPE_FIND_LIKELY, caps); gst_type_find_suggest (tf, GST_TYPE_FIND_LIKELY, caps);
} else { } else {
@ -1120,7 +1120,8 @@ aac_type_find (GstTypeFind * tf, gpointer unused)
for (i = 3; i <= 6; i++) { for (i = 3; i <= 6; i++) {
len = ((c.data[offset + 3] & 0x03) << 11) | len = ((c.data[offset + 3] & 0x03) << 11) |
(c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5); (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5);
if (len == 0 || !data_scan_ctx_ensure_data (tf, &c, len + 2)) { if (len == 0
|| !data_scan_ctx_ensure_data (tf, &c, offset + len + 6)) {
GST_DEBUG ("Wrong sync or next frame not within reach, len=%u", GST_DEBUG ("Wrong sync or next frame not within reach, len=%u",
len); len);
break; break;