mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-11-18 07:47:17 +00:00
Code Issues 1 Projects Releases Wiki Activity

typefind: Fix out-of-bound memory access

Browse source 
We were not checking the proper amount of available data in several
places
This commit is contained in:
Edward Hervey 2017-10-30 08:55:48 +01:00
parent b2be4169ee
commit 7b5d97e9c3
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
gst/typefind/gsttypefindfunctions.c
View file

@ -1716,7 +1716,7 @@ ac3_type_find (GstTypeFind * tf, gpointer unused)
* frame is followed by a second frame at the expected offset.
* We could also check the two ac3 CRCs, but we don't do that right now */
while (c.offset < 1024) {
if (G_UNLIKELY (!data_scan_ctx_ensure_data (tf, &c, 5)))
if (G_UNLIKELY (!data_scan_ctx_ensure_data (tf, &c, 6)))
break;
if (c.data[0] == 0x0b && c.data[1] == 0x77) {
@ -3012,7 +3012,7 @@ static GstStaticCaps aiff_caps = GST_STATIC_CAPS ("audio/x-aiff");
static void
aiff_type_find (GstTypeFind * tf, gpointer unused)
{
const guint8 *data = gst_type_find_peek (tf, 0, 4);
const guint8 *data = gst_type_find_peek (tf, 0, 16);
if (data && memcmp (data, "FORM", 4) == 0) {
data += 8;
@ -3029,7 +3029,7 @@ static GstStaticCaps svx_caps = GST_STATIC_CAPS ("audio/x-svx");
static void
svx_type_find (GstTypeFind * tf, gpointer unused)
{
const guint8 *data = gst_type_find_peek (tf, 0, 4);
const guint8 *data = gst_type_find_peek (tf, 0, 16);
if (data && memcmp (data, "FORM", 4) == 0) {
data += 8;
@ -3360,7 +3360,7 @@ qt_type_find (GstTypeFind * tf, gpointer unused)
if ((STRNCMP (&data[4], "ftyp", 4) == 0) && (size >= 16)) {
new_offset = offset + 12;
while (new_offset + 4 <= offset + size) {
data = gst_type_find_peek (tf, new_offset, 4);
data = gst_type_find_peek (tf, new_offset, 8);
if (data == NULL)
goto done;
if (STRNCMP (&data[4], "isom", 4) == 0 ||