From 85ad4f3ad6234e425ebf3f4c58f36597a48e4e41 Mon Sep 17 00:00:00 2001 From: Arnaud Vrac Date: Mon, 16 Sep 2013 11:42:48 +0200 Subject: [PATCH] tsdemux: fix buffer overflow This can happen with a corrupt TS file, found with breakmydata element plugged before tsdemux. https://bugzilla.gnome.org/show_bug.cgi?id=708161 --- gst/mpegtsdemux/tsdemux.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/gst/mpegtsdemux/tsdemux.c b/gst/mpegtsdemux/tsdemux.c index 0553ed98b4..40fe151db0 100644 --- a/gst/mpegtsdemux/tsdemux.c +++ b/gst/mpegtsdemux/tsdemux.c @@ -1293,9 +1293,10 @@ gst_ts_demux_parse_pes_header (GstTSDemux * demux, TSDemuxStream * stream, /* Create the output buffer */ if (stream->expected_size) - stream->allocated_size = stream->expected_size; + stream->allocated_size = MAX (stream->expected_size, length); else - stream->allocated_size = 8192; + stream->allocated_size = MAX (8192, length); + g_assert (stream->data == NULL); stream->data = g_malloc (stream->allocated_size); memcpy (stream->data, data, length); @@ -1363,7 +1364,9 @@ gst_ts_demux_queue_data (GstTSDemux * demux, TSDemuxStream * stream, GST_LOG ("BUFFER: appending data"); if (G_UNLIKELY (stream->current_size + size > stream->allocated_size)) { GST_LOG ("resizing buffer"); - stream->allocated_size = stream->allocated_size * 2; + do { + stream->allocated_size *= 2; + } while (stream->current_size + size > stream->allocated_size); stream->data = g_realloc (stream->data, stream->allocated_size); } memcpy (stream->data + stream->current_size, data, size);