From a23d4d1c1f54dbe1b269712587721ee914f713b5 Mon Sep 17 00:00:00 2001
From: Edward Hervey <edward@centricular.com>
Date: Thu, 2 Nov 2017 15:14:49 +0100
Subject: [PATCH] typefind: Fix out-of-bound read in PNM typefinder

---
 gst/typefind/gsttypefindfunctions.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gst/typefind/gsttypefindfunctions.c b/gst/typefind/gsttypefindfunctions.c
index 2bbb88dafa..38a50e7baf 100644
--- a/gst/typefind/gsttypefindfunctions.c
+++ b/gst/typefind/gsttypefindfunctions.c
@@ -4148,15 +4148,24 @@ pnm_type_find (GstTypeFind * tf, gpointer ununsed)
 
     /* need to skip any comment lines first */
     data_scan_ctx_advance (tf, &c, 3);
+
+    if (!data_scan_ctx_ensure_data (tf, &c, 1))
+      return;
+
     while (c.data[0] == '#') {  /* we know there's still data left */
       data_scan_ctx_advance (tf, &c, 1);
+      if (!data_scan_ctx_ensure_data (tf, &c, 1))
+        return;
+
       while (c.data[0] != '\n' && c.data[0] != '\r') {
-        if (!data_scan_ctx_ensure_data (tf, &c, 4))
-          return;
         data_scan_ctx_advance (tf, &c, 1);
+        if (!data_scan_ctx_ensure_data (tf, &c, 1))
+          return;
       }
       data_scan_ctx_advance (tf, &c, 1);
       GST_LOG ("skipped comment line in PNM header");
+      if (!data_scan_ctx_ensure_data (tf, &c, 1))
+        return;
     }
 
     if (!data_scan_ctx_ensure_data (tf, &c, 32) &&