gst/mpegstream/: Fix more integer overflows. Again, see #126967.

Original commit message from CVS: 2004-01-04 Ronald Bultje <rbultje@ronald.bitfreak.net> * gst/mpegstream/gstmpegdemux.c: (gst_mpeg_demux_parse_syshead), (gst_mpeg_demux_parse_packet), (gst_mpeg_demux_parse_pes): * gst/mpegstream/gstmpegparse.c: (gst_mpeg_parse_parse_packhead): Fix more integer overflows. Again, see #126967.
2025-04-04 23:30:05 +00:00 · 2004-01-03 23:07:19 +00:00 · 2004-01-03 23:07:19 +00:00 · 9717e2b847
commit 9717e2b847
parent ddc2c60a03
3 changed files with 38 additions and 31 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2004-01-04  Ronald Bultje  <rbultje@ronald.bitfreak.net>
+
+	* gst/mpegstream/gstmpegdemux.c: (gst_mpeg_demux_parse_syshead),
+	(gst_mpeg_demux_parse_packet), (gst_mpeg_demux_parse_pes):
+	* gst/mpegstream/gstmpegparse.c: (gst_mpeg_parse_parse_packhead):
+	  Fix more integer overflows. Again, see #126967.
+
 2004-01-03  Ronald Bultje  <rbultje@ronald.bitfreak.net>

 	* ext/mpeg2dec/gstmpeg2dec.c:
--- a/gst/mpegstream/gstmpegdemux.c
+++ b/gst/mpegstream/gstmpegdemux.c
@ -400,7 +400,7 @@ gst_mpeg_demux_parse_syshead (GstMPEGParse *mpeg_parse, GstBuffer *buffer)
      }

      STD_buffer_bound_scale = *buf & 0x20;
-      STD_buffer_size_bound = (*buf++ & 0x1F) << 8;
+      STD_buffer_size_bound = ((guint16)(*buf++ & 0x1F)) << 8;
      STD_buffer_size_bound |= *buf++;

      if (STD_buffer_bound_scale == 0) {
@ -557,7 +557,7 @@ gst_mpeg_demux_parse_packet (GstMPEGParse *mpeg_parse, GstBuffer *buffer)
        GST_DEBUG ("have STD");

        STD_buffer_bound_scale =  bits & 0x20;
-        STD_buffer_size_bound  = (bits & 0x1F) << 8;
+        STD_buffer_size_bound  = ((guint16)(bits & 0x1F)) << 8;
        STD_buffer_size_bound |=  *buf++;

        headerlen += 2;
@ -566,29 +566,29 @@ gst_mpeg_demux_parse_packet (GstMPEGParse *mpeg_parse, GstBuffer *buffer)
        switch (bits & 0x30) {
 	  case 0x20:
            /* pts:3 ! 1 ! pts:15 ! 1 | pts:15 ! 1 */
-            pts  = (bits & 0x0E)   << 29;
-            pts |=  *buf++         << 22;
-            pts |= (*buf++ & 0xFE) << 14;
-            pts |=  *buf++         <<  7;
-            pts |= (*buf++ & 0xFE) >>  1;
+            pts  = ((guint64)(bits & 0x0E)  ) << 29;
+            pts |= ((guint64) *buf++        ) << 22;
+            pts |= ((guint64)(*buf++ & 0xFE)) << 14;
+            pts |= ((guint64) *buf++        ) <<  7;
+            pts |= ((guint64)(*buf++ & 0xFE)) >>  1;

            GST_DEBUG ("PTS = %" G_GUINT64_FORMAT, pts);
            headerlen += 5;
 	    goto done;
 	  case 0x30:
            /* pts:3 ! 1 ! pts:15 ! 1 | pts:15 ! 1 */
-            pts  = (bits & 0x0E)   << 29;
-            pts |=  *buf++         << 22;
-            pts |= (*buf++ & 0xFE) << 14;
-            pts |=  *buf++         <<  7;
-            pts |= (*buf++ & 0xFE) >>  1;
+            pts  = ((guint64)(bits & 0x0E)  ) << 29;
+            pts |= ((guint64) *buf++        ) << 22;
+            pts |= ((guint64)(*buf++ & 0xFE)) << 14;
+            pts |= ((guint64) *buf++        ) <<  7;
+            pts |= ((guint64)(*buf++ & 0xFE)) >>  1;

            /* sync:4 ! pts:3 ! 1 ! pts:15 ! 1 | pts:15 ! 1 */
-            dts  = (*buf++ & 0x0E) << 29;
-            dts |=  *buf++         << 22;
-            dts |= (*buf++ & 0xFE) << 14;
-            dts |=  *buf++         <<  7;
-            dts |= (*buf++ & 0xFE) >>  1;
+            dts  = ((guint64)(*buf++ & 0x0E)) << 29;
+            dts |= ((guint64) *buf++        ) << 22;
+            dts |= ((guint64)(*buf++ & 0xFE)) << 14;
+            dts |= ((guint64) *buf++        ) <<  7;
+            dts |= ((guint64)(*buf++ & 0xFE)) >>  1;

            GST_DEBUG ("PTS = %" G_GUINT64_FORMAT ", DTS = %" G_GUINT64_FORMAT, pts, dts);
            headerlen += 10;
@ -767,9 +767,9 @@ gst_mpeg_demux_parse_pes (GstMPEGParse *mpeg_parse, GstBuffer *buffer)
    if ((flags2 & 0x10)) {
      guint32 es_rate;

-      es_rate  = (*buf++ & 0x07) << 14;
-      es_rate |= (*buf++       ) << 7;
-      es_rate |= (*buf++ & 0xFE) >> 1;
+      es_rate  = ((guint32)(*buf++ & 0x07)) << 14;
+      es_rate |= ((guint32)(*buf++       )) << 7;
+      es_rate |= ((guint32)(*buf++ & 0xFE)) >> 1;
      GST_DEBUG ("%x ES Rate found", id);
    }
    /* FIXME: lots of PES parsing missing here... */
--- a/gst/mpegstream/gstmpegparse.c
+++ b/gst/mpegstream/gstmpegparse.c
@ -308,10 +308,10 @@ gst_mpeg_parse_parse_packhead (GstMPEGParse *mpeg_parse, GstBuffer *buffer)
    guint32 scr_ext;

    /* :2=01 ! scr:3 ! marker:1==1 ! scr:15 ! marker:1==1 ! scr:15 */
-    scr  = (scr1 & 0x38000000) << 3;
-    scr |= (scr1 & 0x03fff800) << 4;
-    scr |= (scr1 & 0x000003ff) << 5;
-    scr |= (scr2 & 0xf8000000) >> 27;
+    scr  = ((guint64) scr1 & 0x38000000) << 3;
+    scr |= ((guint64) scr1 & 0x03fff800) << 4;
+    scr |= ((guint64) scr1 & 0x000003ff) << 5;
+    scr |= ((guint64) scr2 & 0xf8000000) >> 27;

    scr_ext = (scr2 & 0x03fe0000) >> 17;

@ -325,17 +325,17 @@ gst_mpeg_parse_parse_packhead (GstMPEGParse *mpeg_parse, GstBuffer *buffer)
    new_rate = (GUINT32_FROM_BE ((*(guint32 *) buf)) & 0xfffffc00) >> 10;
  }
  else {
-    scr  = (scr1 & 0x0e000000) << 5;
-    scr |= (scr1 & 0x00fffe00) << 6;
-    scr |= (scr1 & 0x000000ff) << 7;
-    scr |= (scr2 & 0xfe000000) >> 25;
+    scr  = ((guint64) scr1 & 0x0e000000) << 5;
+    scr |= ((guint64) scr1 & 0x00fffe00) << 6;
+    scr |= ((guint64) scr1 & 0x000000ff) << 7;
+    scr |= ((guint64) scr2 & 0xfe000000) >> 25;

    buf += 5;
    /* we do this byte by byte because buf[3] might be outside of buf's
     * memory space */
-    new_rate = (buf[0] & 0x7f) << 15;
-    new_rate |= buf[1] << 7;
-    new_rate |= buf[2] >> 1;
+    new_rate  = ((gint32) buf[0] & 0x7f) << 15;
+    new_rate |= ((gint32) buf[1]) << 7;
+    new_rate |=           buf[2]  >> 1;
  }

  scr_orig = scr;