qtmux: Fix extraction of CEA608 data from S334-1A packets

The index is already incremented by 3 every iteration so multiplying it
by 3 additionally on each array access is doing it twice and does not
work.

This caused invalid files to be created if there's more than one CEA608
triplet in a buffer, and out of bounds memory reads.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4634>
This commit is contained in:
Sebastian Dröge 2023-05-15 11:45:12 +03:00 committed by GStreamer Marge Bot
parent 3497bbb8a8
commit 99285bb566

View file

@ -926,16 +926,16 @@ extract_608_field_from_s334_1a (const guint8 * ccdata, gsize ccdata_size,
/* Iterate over the ccdata and put the corresponding tuples for the given field /* Iterate over the ccdata and put the corresponding tuples for the given field
* in the storage */ * in the storage */
for (i = 0; i < ccdata_size; i += 3) { for (i = 0; i < ccdata_size; i += 3) {
if ((field == 1 && (ccdata[i * 3] & 0x80)) || if ((field == 1 && (ccdata[i] & 0x80)) ||
(field == 2 && !(ccdata[i * 3] & 0x80))) { (field == 2 && !(ccdata[i] & 0x80))) {
GST_DEBUG ("Storing matching cc for field %d : 0x%02x 0x%02x", field, GST_DEBUG ("Storing matching cc for field %d : 0x%02x 0x%02x", field,
ccdata[i * 3 + 1], ccdata[i * 3 + 2]); ccdata[i + 1], ccdata[i + 2]);
if (res_size >= storage_size) { if (res_size >= storage_size) {
storage_size += 128; storage_size += 128;
storage = g_realloc (storage, storage_size); storage = g_realloc (storage, storage_size);
} }
storage[res_size] = ccdata[i * 3 + 1]; storage[res_size] = ccdata[i + 1];
storage[res_size + 1] = ccdata[i * 3 + 2]; storage[res_size + 1] = ccdata[i + 2];
res_size += 2; res_size += 2;
} }
} }