From 4275a70cb55d375afa702917f7359ec117ed49d4 Mon Sep 17 00:00:00 2001
From: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk>
Date: Mon, 29 Aug 2011 13:00:02 +0100
Subject: [PATCH] mpegdemux: catch section lengths extending past the buffer
 length

This is probably the cause for an occasional crash while streaming
MPEG. Blind fix after staring at the code and following logic, so
may or may not fix the issue, I cannot test.
---
 gst/mpegdemux/mpegtspacketizer.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/gst/mpegdemux/mpegtspacketizer.c b/gst/mpegdemux/mpegtspacketizer.c
index a9a69c9d3c..118a3acc5b 100644
--- a/gst/mpegdemux/mpegtspacketizer.c
+++ b/gst/mpegdemux/mpegtspacketizer.c
@@ -2197,6 +2197,12 @@ mpegts_packetizer_push_section (MpegTSPacketizer * packetizer,
   if (packet->pid == 0x14) {
     table_id = data[0];
     section->section_length = GST_READ_UINT24_BE (data) & 0x000FFF;
+    if (data - GST_BUFFER_DATA (packet->buffer) + section->section_length + 3 >
+        GST_BUFFER_SIZE (packet->buffer)) {
+      GST_WARNING ("PID %dd PSI section length extends past the end "
+          "of the buffer", packet->pid);
+      goto out;
+    }
     section->buffer = gst_buffer_create_sub (packet->buffer,
         data - GST_BUFFER_DATA (packet->buffer), section->section_length + 3);
     section->table_id = table_id;