mpegts: Add size guards for descriptors where neeeded

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=724464
This commit is contained in:
Edward Hervey 2014-02-20 19:08:33 +01:00
parent 4190a1717a
commit 142233d917
3 changed files with 19 additions and 0 deletions

View file

@ -66,6 +66,8 @@ gst_mpegts_descriptor_parse_dvb_network_name (const GstMpegTsDescriptor *
{ {
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x40, FALSE); g_return_val_if_fail (descriptor->tag == 0x40, FALSE);
/* We need at least one byte of data for the string */
g_return_val_if_fail (descriptor->length >= 1, FALSE);
*name = get_encoding_and_convert ((gchar *) descriptor->data + 2, *name = get_encoding_and_convert ((gchar *) descriptor->data + 2,
descriptor->data[1]); descriptor->data[1]);
@ -126,6 +128,8 @@ gst_mpegts_descriptor_parse_satellite_delivery_system (const GstMpegTsDescriptor
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x43, FALSE); g_return_val_if_fail (descriptor->tag == 0x43, FALSE);
/* This descriptor is always 11 bytes long */
g_return_val_if_fail (descriptor->length == 11, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
@ -201,6 +205,8 @@ gst_mpegts_descriptor_parse_cable_delivery_system (const GstMpegTsDescriptor *
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x44, FALSE); g_return_val_if_fail (descriptor->tag == 0x44, FALSE);
/* This descriptor is always 11 bytes long */
g_return_val_if_fail (descriptor->length == 11, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
/* BCD in MHz, decimal place after the fourth character */ /* BCD in MHz, decimal place after the fourth character */
@ -265,6 +271,8 @@ gst_mpegts_descriptor_parse_dvb_service (const GstMpegTsDescriptor *
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x48, FALSE); g_return_val_if_fail (descriptor->tag == 0x48, FALSE);
/* Need at least 3 bytes (type and 2 bytes for the string length) */
g_return_val_if_fail (descriptor->length >= 3, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
@ -300,6 +308,8 @@ gst_mpegts_descriptor_parse_dvb_short_event (const GstMpegTsDescriptor *
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x4D, FALSE); g_return_val_if_fail (descriptor->tag == 0x4D, FALSE);
/* Need at least 5 bytes (3 for language code, 2 for each string length) */
g_return_val_if_fail (descriptor->length >= 5, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
@ -503,6 +513,8 @@ gst_mpegts_descriptor_parse_dvb_extended_event (const GstMpegTsDescriptor
g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == GST_MTS_DESC_DVB_EXTENDED_EVENT, g_return_val_if_fail (descriptor->tag == GST_MTS_DESC_DVB_EXTENDED_EVENT,
FALSE); FALSE);
/* Need at least 6 bytes (1 for desc number, 3 for language code, 2 for the loop length) */
g_return_val_if_fail (descriptor->length >= 6, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
@ -568,6 +580,8 @@ gst_mpegts_descriptor_parse_dvb_component (const GstMpegTsDescriptor
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == GST_MTS_DESC_DVB_COMPONENT, FALSE); g_return_val_if_fail (descriptor->tag == GST_MTS_DESC_DVB_COMPONENT, FALSE);
/* Need 6 bytes at least (1 for content, 1 for type, 1 for tag, 3 for language code) */
g_return_val_if_fail (descriptor->length >= 6, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
@ -650,6 +664,8 @@ gst_mpegts_descriptor_parse_terrestrial_delivery_system (const
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x5a, FALSE); g_return_val_if_fail (descriptor->tag == 0x5a, FALSE);
/* Descriptor is always 11 bytes long */
g_return_val_if_fail (descriptor->length == 11, FALSE);
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;

View file

@ -48,6 +48,7 @@ G_GNUC_INTERNAL gpointer __common_section_checks (GstMpegTsSection *section,
GstMpegTsParseFunc parsefunc, GstMpegTsParseFunc parsefunc,
GDestroyNotify destroynotify); GDestroyNotify destroynotify);
G_END_DECLS G_END_DECLS
#endif /* _GST_MPEGTS_PRIVATE_H_ */ #endif /* _GST_MPEGTS_PRIVATE_H_ */

View file

@ -882,6 +882,7 @@ gst_mpegts_descriptor_parse_iso_639_language (const GstMpegTsDescriptor *
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (res != NULL, FALSE); g_return_val_if_fail (res != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x0A, FALSE); g_return_val_if_fail (descriptor->tag == 0x0A, FALSE);
/* This descriptor can be empty, no size check needed */
data = (guint8 *) descriptor->data + 2; data = (guint8 *) descriptor->data + 2;
/* Each language is 3 + 1 bytes */ /* Each language is 3 + 1 bytes */
@ -970,6 +971,7 @@ gst_mpegts_descriptor_parse_logical_channel (const GstMpegTsDescriptor *
g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE); g_return_val_if_fail (descriptor != NULL && descriptor->data != NULL, FALSE);
g_return_val_if_fail (descriptor->tag == 0x83, FALSE); g_return_val_if_fail (descriptor->tag == 0x83, FALSE);
/* This descriptor loop can be empty, no size check required */
data = (guint8 *) descriptor->data; data = (guint8 *) descriptor->data;
res->nb_channels = descriptor->length / 4; res->nb_channels = descriptor->length / 4;