From 142233d9171c6bcc93717bba48a11841c01da20c Mon Sep 17 00:00:00 2001 From: Edward Hervey Date: Thu, 20 Feb 2014 19:08:33 +0100 Subject: [PATCH] mpegts: Add size guards for descriptors where neeeded Fixes https://bugzilla.gnome.org/show_bug.cgi?id=724464 --- gst-libs/gst/mpegts/gst-dvb-descriptor.c | 16 ++++++++++++++++ gst-libs/gst/mpegts/gstmpegts-private.h | 1 + gst-libs/gst/mpegts/gstmpegtsdescriptor.c | 2 ++ 3 files changed, 19 insertions(+) diff --git a/gst-libs/gst/mpegts/gst-dvb-descriptor.c b/gst-libs/gst/mpegts/gst-dvb-descriptor.c index 0ca74f2c94..8329d84dce 100644 --- a/gst-libs/gst/mpegts/gst-dvb-descriptor.c +++ b/gst-libs/gst/mpegts/gst-dvb-descriptor.c @@ -66,6 +66,8 @@ gst_mpegts_descriptor_parse_dvb_network_name (const GstMpegTsDescriptor * { g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x40, FALSE); + /* We need at least one byte of data for the string */ + g_return_val_if_fail (descriptor->length >= 1, FALSE); *name = get_encoding_and_convert ((gchar *) descriptor->data + 2, descriptor->data[1]); @@ -126,6 +128,8 @@ gst_mpegts_descriptor_parse_satellite_delivery_system (const GstMpegTsDescriptor g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x43, FALSE); + /* This descriptor is always 11 bytes long */ + g_return_val_if_fail (descriptor->length == 11, FALSE); data = (guint8 *) descriptor->data + 2; @@ -201,6 +205,8 @@ gst_mpegts_descriptor_parse_cable_delivery_system (const GstMpegTsDescriptor * g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x44, FALSE); + /* This descriptor is always 11 bytes long */ + g_return_val_if_fail (descriptor->length == 11, FALSE); data = (guint8 *) descriptor->data + 2; /* BCD in MHz, decimal place after the fourth character */ @@ -265,6 +271,8 @@ gst_mpegts_descriptor_parse_dvb_service (const GstMpegTsDescriptor * g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x48, FALSE); + /* Need at least 3 bytes (type and 2 bytes for the string length) */ + g_return_val_if_fail (descriptor->length >= 3, FALSE); data = (guint8 *) descriptor->data + 2; @@ -300,6 +308,8 @@ gst_mpegts_descriptor_parse_dvb_short_event (const GstMpegTsDescriptor * g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x4D, FALSE); + /* Need at least 5 bytes (3 for language code, 2 for each string length) */ + g_return_val_if_fail (descriptor->length >= 5, FALSE); data = (guint8 *) descriptor->data + 2; @@ -503,6 +513,8 @@ gst_mpegts_descriptor_parse_dvb_extended_event (const GstMpegTsDescriptor g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (descriptor->tag == GST_MTS_DESC_DVB_EXTENDED_EVENT, FALSE); + /* Need at least 6 bytes (1 for desc number, 3 for language code, 2 for the loop length) */ + g_return_val_if_fail (descriptor->length >= 6, FALSE); data = (guint8 *) descriptor->data + 2; @@ -568,6 +580,8 @@ gst_mpegts_descriptor_parse_dvb_component (const GstMpegTsDescriptor g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (descriptor->tag == GST_MTS_DESC_DVB_COMPONENT, FALSE); + /* Need 6 bytes at least (1 for content, 1 for type, 1 for tag, 3 for language code) */ + g_return_val_if_fail (descriptor->length >= 6, FALSE); data = (guint8 *) descriptor->data + 2; @@ -650,6 +664,8 @@ gst_mpegts_descriptor_parse_terrestrial_delivery_system (const g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x5a, FALSE); + /* Descriptor is always 11 bytes long */ + g_return_val_if_fail (descriptor->length == 11, FALSE); data = (guint8 *) descriptor->data + 2; diff --git a/gst-libs/gst/mpegts/gstmpegts-private.h b/gst-libs/gst/mpegts/gstmpegts-private.h index 08c62291f5..1533b4b599 100644 --- a/gst-libs/gst/mpegts/gstmpegts-private.h +++ b/gst-libs/gst/mpegts/gstmpegts-private.h @@ -48,6 +48,7 @@ G_GNUC_INTERNAL gpointer __common_section_checks (GstMpegTsSection *section, GstMpegTsParseFunc parsefunc, GDestroyNotify destroynotify); + G_END_DECLS #endif /* _GST_MPEGTS_PRIVATE_H_ */ diff --git a/gst-libs/gst/mpegts/gstmpegtsdescriptor.c b/gst-libs/gst/mpegts/gstmpegtsdescriptor.c index cbeb00e2da..91b578c091 100644 --- a/gst-libs/gst/mpegts/gstmpegtsdescriptor.c +++ b/gst-libs/gst/mpegts/gstmpegtsdescriptor.c @@ -882,6 +882,7 @@ gst_mpegts_descriptor_parse_iso_639_language (const GstMpegTsDescriptor * g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x0A, FALSE); + /* This descriptor can be empty, no size check needed */ data = (guint8 *) descriptor->data + 2; /* Each language is 3 + 1 bytes */ @@ -970,6 +971,7 @@ gst_mpegts_descriptor_parse_logical_channel (const GstMpegTsDescriptor * g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor->tag == 0x83, FALSE); + /* This descriptor loop can be empty, no size check required */ data = (guint8 *) descriptor->data; res->nb_channels = descriptor->length / 4;