From 99285bb566896ce80ca6d90f2c5009339c26ddb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Mon, 15 May 2023 11:45:12 +0300 Subject: [PATCH] qtmux: Fix extraction of CEA608 data from S334-1A packets The index is already incremented by 3 every iteration so multiplying it by 3 additionally on each array access is doing it twice and does not work. This caused invalid files to be created if there's more than one CEA608 triplet in a buffer, and out of bounds memory reads. Part-of: --- subprojects/gst-plugins-good/gst/isomp4/gstqtmux.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/subprojects/gst-plugins-good/gst/isomp4/gstqtmux.c b/subprojects/gst-plugins-good/gst/isomp4/gstqtmux.c index 26a10bf3a1..488d597ee2 100644 --- a/subprojects/gst-plugins-good/gst/isomp4/gstqtmux.c +++ b/subprojects/gst-plugins-good/gst/isomp4/gstqtmux.c @@ -926,16 +926,16 @@ extract_608_field_from_s334_1a (const guint8 * ccdata, gsize ccdata_size, /* Iterate over the ccdata and put the corresponding tuples for the given field * in the storage */ for (i = 0; i < ccdata_size; i += 3) { - if ((field == 1 && (ccdata[i * 3] & 0x80)) || - (field == 2 && !(ccdata[i * 3] & 0x80))) { + if ((field == 1 && (ccdata[i] & 0x80)) || + (field == 2 && !(ccdata[i] & 0x80))) { GST_DEBUG ("Storing matching cc for field %d : 0x%02x 0x%02x", field, - ccdata[i * 3 + 1], ccdata[i * 3 + 2]); + ccdata[i + 1], ccdata[i + 2]); if (res_size >= storage_size) { storage_size += 128; storage = g_realloc (storage, storage_size); } - storage[res_size] = ccdata[i * 3 + 1]; - storage[res_size + 1] = ccdata[i * 3 + 2]; + storage[res_size] = ccdata[i + 1]; + storage[res_size + 1] = ccdata[i + 2]; res_size += 2; } }