From a55b8e9c0034a2d4d4f57e1d2fb6cdc3c2d82e54 Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Wed, 30 Apr 2014 14:50:44 +0100 Subject: [PATCH] rtpvrawpay: guard against pathological "no space" condition Even if one woul hope one pixel can fit in a MTU, ensure we do not overwrite a buffer if this is not the case. Spotted while looking at Coverity 1208786 --- gst/rtp/gstrtpvrawpay.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/gst/rtp/gstrtpvrawpay.c b/gst/rtp/gstrtpvrawpay.c index ca54bbb75d..cade178619 100644 --- a/gst/rtp/gstrtpvrawpay.c +++ b/gst/rtp/gstrtpvrawpay.c @@ -331,6 +331,13 @@ gst_rtp_vraw_pay_handle_buffer (GstRTPBasePayload * payload, GstBuffer * buffer) /* the headers start here */ headers = outdata; + /* make sure we can fit at least *one* header and pixel */ + if (!(left > (6 + pgroup))) { + gst_rtp_buffer_unmap (&rtp); + gst_buffer_unref (out); + goto too_small; + } + /* while we can fit at least one header and one pixel */ while (left > (6 + pgroup)) { /* we need a 6 bytes header */ @@ -516,6 +523,14 @@ unknown_sampling: gst_buffer_unref (buffer); return GST_FLOW_NOT_SUPPORTED; } +too_small: + { + GST_ELEMENT_ERROR (payload, RESOURCE, NO_SPACE_LEFT, + (NULL), ("not enough space to send at least one pixel")); + gst_video_frame_unmap (&frame); + gst_buffer_unref (buffer); + return GST_FLOW_NOT_SUPPORTED; + } } gboolean