diff --git a/gst/mxf/mxfaes-bwf.c b/gst/mxf/mxfaes-bwf.c index 633f3affbc..f92d682797 100644 --- a/gst/mxf/mxfaes-bwf.c +++ b/gst/mxf/mxfaes-bwf.c @@ -643,11 +643,14 @@ mxf_metadata_aes3_audio_essence_descriptor_handle_tag (MXFMetadataBase * tag_data += 8; tag_size -= 8; - if (tag_size != len * 24) + if (tag_size / 24 != len) + goto error; + + if (G_MAXINT / (24 + sizeof (guint8 *)) < len) goto error; self->fixed_channel_status_data = - g_malloc0 (len * sizeof (guint8 *) + len * 24); + g_malloc0 (len * (sizeof (guint8 *) + 24)); for (i = 0; i < len; i++) { self->fixed_channel_status_data[i] = @@ -738,10 +741,13 @@ mxf_metadata_aes3_audio_essence_descriptor_handle_tag (MXFMetadataBase * tag_data += 8; tag_size -= 8; - if (tag_size != len * 24) + if (tag_size / 24 != len) goto error; - self->fixed_user_data = g_malloc0 (len * sizeof (guint8 *) + len * 24); + if (G_MAXINT / (24 + sizeof (guint8 *)) < len) + goto error; + + self->fixed_user_data = g_malloc0 (len * (sizeof (guint8 *) + 24)); for (i = 0; i < len; i++) { self->fixed_user_data[i] = diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c index 823b1b6ffe..f8ebee76dc 100644 --- a/gst/mxf/mxfdemux.c +++ b/gst/mxf/mxfdemux.c @@ -3556,11 +3556,18 @@ collect_index_table_segments (GstMXFDemux * demux) start = segment->index_start_position; end = start + segment->index_duration; + if (end > G_MAXINT / sizeof (GstMXFDemuxIndex)) { + demux->index_tables = g_list_remove (demux->index_tables, t); + g_array_free (t->offsets, TRUE); + g_free (t); + continue; + } if (t->offsets->len < end) g_array_set_size (t->offsets, end); - for (i = 0; i < segment->n_index_entries; i++) { + for (i = 0; i < segment->n_index_entries && start + i < t->offsets->len; + i++) { GstMXFDemuxIndex *index = &g_array_index (t->offsets, GstMXFDemuxIndex, start + i); guint64 offset = segment->index_entries[i].stream_offset; diff --git a/gst/mxf/mxfdms1.c b/gst/mxf/mxfdms1.c index d5d5d95b47..d735e4d609 100644 --- a/gst/mxf/mxfdms1.c +++ b/gst/mxf/mxfdms1.c @@ -3109,7 +3109,7 @@ mxf_dms1_shot_handle_tag (MXFMetadataBase * metadata, MXFPrimerPack * primer, tag_data += 8; tag_size -= 8; - if (tag_size < 4 * len) + if (tag_size / 4 < len) goto error; self->n_shot_track_ids = len; diff --git a/gst/mxf/mxfmetadata.c b/gst/mxf/mxfmetadata.c index 69aadb5499..5dc55c7057 100644 --- a/gst/mxf/mxfmetadata.c +++ b/gst/mxf/mxfmetadata.c @@ -2244,6 +2244,9 @@ mxf_metadata_source_package_resolve (MXFMetadataBase * m, GHashTable * metadata) d = MXF_METADATA_FILE_DESCRIPTOR (current); for (i = 0; i < package->n_tracks; i++) { + if (!package->tracks[i]) + continue; + if (!MXF_IS_METADATA_MULTIPLE_DESCRIPTOR (d)) { if (d->linked_track_id == package->tracks[i]->track_id || (d->linked_track_id == 0 && package->n_essence_tracks == 1 && @@ -3552,12 +3555,12 @@ mxf_metadata_dm_source_clip_handle_tag (MXFMetadataBase * metadata, if (GST_READ_UINT32_BE (tag_data + 4) != 4) goto error; - if (tag_size < 8 + 4 * len) - goto error; - tag_data += 8; tag_size -= 8; + if (tag_size / 4 < len) + goto error; + self->n_track_ids = len; self->track_ids = g_new0 (guint32, len); @@ -3725,7 +3728,10 @@ mxf_metadata_dm_segment_handle_tag (MXFMetadataBase * metadata, if (GST_READ_UINT32_BE (tag_data + 4) != 4) goto error; - if (len * 4 + 8 < tag_size) + tag_data += 8; + tag_size -= 8; + + if (len < tag_size / 4) goto error; self->n_track_ids = len; diff --git a/gst/mxf/mxftypes.c b/gst/mxf/mxftypes.c index 14e236292d..4063fe041d 100644 --- a/gst/mxf/mxftypes.c +++ b/gst/mxf/mxftypes.c @@ -351,7 +351,7 @@ mxf_uuid_array_parse (MXFUUID ** array, guint32 * count, const guint8 * data, return FALSE; } - if (16 * element_count < size) { + if (element_count > size / 16) { *array = NULL; *count = 0; return FALSE; @@ -1167,7 +1167,7 @@ mxf_index_table_segment_parse (const MXFUL * ul, tag_data += 4; tag_size -= 4; - if (tag_size < len * 6) + if (tag_size / 6 < len) goto error; segment->delta_entries = g_new (MXFDeltaEntry, len); @@ -1216,7 +1216,7 @@ mxf_index_table_segment_parse (const MXFUL * ul, tag_data += 4; tag_size -= 4; - if (tag_size < len * 11) + if (tag_size / 11 < len) goto error; segment->index_entries = g_new0 (MXFIndexEntry, len); @@ -1289,9 +1289,11 @@ mxf_index_table_segment_reset (MXFIndexTableSegment * segment) g_return_if_fail (segment != NULL); - for (i = 0; i < segment->n_index_entries; i++) { - g_free (segment->index_entries[i].slice_offset); - g_free (segment->index_entries[i].pos_table); + if (segment->index_entries) { + for (i = 0; i < segment->n_index_entries; i++) { + g_free (segment->index_entries[i].slice_offset); + g_free (segment->index_entries[i].pos_table); + } } g_free (segment->index_entries); @@ -1447,14 +1449,16 @@ mxf_primer_pack_parse (const MXFUL * ul, MXFPrimerPack * pack, n = GST_READ_UINT32_BE (data); data += 4; + size -= 4; GST_DEBUG (" number of mappings = %u", n); if (GST_READ_UINT32_BE (data) != 18) goto error; data += 4; + size -= 4; - if (size < 8 + n * 18) + if (size / 18 < n) goto error; for (i = 0; i < n; i++) { @@ -1618,10 +1622,13 @@ mxf_local_tag_parse (const guint8 * data, guint size, guint16 * tag, *tag = GST_READ_UINT16_BE (data); *tag_size = GST_READ_UINT16_BE (data + 2); - if (size < 4 + *tag_size) + data += 4; + size -= 4; + + if (size < *tag_size) return FALSE; - *tag_data = data + 4; + *tag_data = data; return TRUE; } diff --git a/gst/mxf/mxful.c b/gst/mxf/mxful.c index 3d186f915f..01d1f1b9fb 100644 --- a/gst/mxf/mxful.c +++ b/gst/mxf/mxful.c @@ -641,7 +641,7 @@ mxf_ul_array_parse (MXFUL ** array, guint32 * count, const guint8 * data, return FALSE; } - if (16 * element_count < size) { + if (element_count > size / 16) { *array = NULL; *count = 0; return FALSE;