From 5c2e6dc5125451e2b7b98bf0fc8222e880aeaa65 Mon Sep 17 00:00:00 2001 From: Thibault Saunier Date: Mon, 27 Feb 2012 09:45:29 -0300 Subject: [PATCH] mpegtspacketizer: catch section lengths extending past the buffer length This is probably the cause for an occasional crash while streaming MPEG. Blind fix after staring at the code and following logic, so may or may not fix the issue, I cannot test. (Port of 4275a70cb55d375afa702917f7359ec117ed49d4 from mpegdemux) --- gst/mpegtsdemux/mpegtspacketizer.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/gst/mpegtsdemux/mpegtspacketizer.c b/gst/mpegtsdemux/mpegtspacketizer.c index 2453d35d32..1bc9356406 100644 --- a/gst/mpegtsdemux/mpegtspacketizer.c +++ b/gst/mpegtsdemux/mpegtspacketizer.c @@ -2356,6 +2356,12 @@ mpegts_packetizer_push_section (MpegTSPacketizer2 * packetizer, if (packet->pid == 0x14) { table_id = data[0]; section->section_length = GST_READ_UINT24_BE (data) & 0x000FFF; + if (data - GST_BUFFER_DATA (packet->buffer) + section->section_length + 3 > + GST_BUFFER_SIZE (packet->buffer)) { + GST_WARNING ("PID %dd PSI section length extends past the end " + "of the buffer", packet->pid); + goto out; + } section->buffer = gst_buffer_create_sub (packet->buffer, data - GST_BUFFER_DATA (packet->buffer), section->section_length + 3); section->table_id = table_id;