From c0da05df383b5d6b2e018069b4398be8c3d4f121 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 22 Nov 2016 20:01:20 +0200
Subject: [PATCH] matroska: Add size checks to the parsing of FLAC headers

---
 gst/matroska/matroska-ids.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/gst/matroska/matroska-ids.c b/gst/matroska/matroska-ids.c
index 74b4147f87..1ef3e26303 100644
--- a/gst/matroska/matroska-ids.c
+++ b/gst/matroska/matroska-ids.c
@@ -283,15 +283,18 @@ gst_matroska_parse_flac_stream_headers (gpointer codec_data,
   /* skip fLaC marker */
   off = 4;
 
-  /* FIXME: check size remaining */
-  while (off < codec_data_size) {
+  while (off < codec_data_size - 3) {
     len = GST_READ_UINT8 (pdata + off + 1) << 16;
     len |= GST_READ_UINT8 (pdata + off + 2) << 8;
     len |= GST_READ_UINT8 (pdata + off + 3);
 
     GST_DEBUG ("header packet: len=%u bytes, flags=0x%02x", len, pdata[off]);
 
-    /* FIXME: check size remaining */
+    if (off + len > codec_data_size) {
+      gst_buffer_list_unref (list);
+      return NULL;
+    }
+
     hdr = gst_buffer_new_wrapped (g_memdup (pdata + off, len + 4), len + 4);
     gst_buffer_list_add (list, hdr);