mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2025-03-09 13:21:16 +00:00
Code Issues 1 Projects Releases Wiki Activity

Fix for security advisory TKADV2009-0xx

Browse source 
Fix potential buffer overflows while reading quicktime headers.
Security issue noticed by Tobias Klein.
This commit is contained in:
David Schleef 2009-01-21 17:22:39 -08:00 committed by Jan Schmidt
parent 1e7e381a8d
commit bdc20b9baf
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
gst/qtdemux/qtdemux.c
View file

@ -3058,13 +3058,13 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
stream->min_duration = 0; stream->min_duration = 0;
time = 0; time = 0;
index = 0; index = 0;
for (i = 0; i < n_sample_times; i++) { for (i = 0; (i < n_sample_times) && (index < stream->n_samples); i++) {
guint32 n; guint32 n;
guint32 duration; guint32 duration;
n = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i); n = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i);
duration = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i + 4); duration = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i + 4);
for (j = 0; j < n; j++) { for (j = 0; (j < n) && (index < stream->n_samples); j++) {
GST_DEBUG_OBJECT (qtdemux, "sample %d: timestamp %" GST_TIME_FORMAT, GST_DEBUG_OBJECT (qtdemux, "sample %d: timestamp %" GST_TIME_FORMAT,
index, GST_TIME_ARGS (timestamp)); index, GST_TIME_ARGS (timestamp));
@ -3092,7 +3092,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
for (i = 0; i < n_sample_syncs; i++) { for (i = 0; i < n_sample_syncs; i++) {
/* note that the first sample is index 1, not 0 */ /* note that the first sample is index 1, not 0 */
index = QT_UINT32 ((guint8 *) stss->data + offset); index = QT_UINT32 ((guint8 *) stss->data + offset);
if (index > 0) { if (index > 0 && index <= stream->n_samples) {
samples[index - 1].keyframe = TRUE; samples[index - 1].keyframe = TRUE;
offset += 4; offset += 4;
} }
@ -3191,7 +3191,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
for (i = 0, j = 0; (j < stream->n_samples) && (i < n_entries); i++) { for (i = 0, j = 0; (j < stream->n_samples) && (i < n_entries); i++) {
count = QT_UINT32 (ctts_data + 16 + i * 8); count = QT_UINT32 (ctts_data + 16 + i * 8);
soffset = QT_UINT32 (ctts_data + 20 + i * 8); soffset = QT_UINT32 (ctts_data + 20 + i * 8);
for (k = 0; k < count; k++, j++) { for (k = 0; (k < count) && (j < stream->n_samples); k++, j++) {
/* we operate with very small soffset values here, it shouldn't overflow */ /* we operate with very small soffset values here, it shouldn't overflow */
samples[j].pts_offset = soffset * GST_SECOND / stream->timescale; samples[j].pts_offset = soffset * GST_SECOND / stream->timescale;
} }