From ca2f96caac718c4d466e0e619f2e48471d7dbb24 Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Wed, 26 Oct 2011 16:29:35 +0100 Subject: [PATCH] vc1parser: do not overwrite buffer I do not know the bitstream format, but this seems likely to be what was intended. Also add a check on the number of items to read. https://bugzilla.gnome.org/show_bug.cgi?id=662776 --- gst-libs/gst/codecparsers/gstvc1parser.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/gst-libs/gst/codecparsers/gstvc1parser.c b/gst-libs/gst/codecparsers/gstvc1parser.c index 9c720911a2..7407b5585b 100644 --- a/gst-libs/gst/codecparsers/gstvc1parser.c +++ b/gst-libs/gst/codecparsers/gstvc1parser.c @@ -1985,8 +1985,16 @@ gst_vc1_parse_entry_point_header (const guint8 * data, gsize size, entrypoint->quantizer = gst_bit_reader_get_bits_uint8_unchecked (&br, 2); if (advanced->hrd_param_flag) { + if (seqhdr->advanced.hrd_param.hrd_num_leaky_buckets > + MAX_HRD_NUM_LEAKY_BUCKETS) { + GST_WARNING + ("hrd_num_leaky_buckets (%d) > MAX_HRD_NUM_LEAKY_BUCKETS (%d)", + seqhdr->advanced.hrd_param.hrd_num_leaky_buckets, + MAX_HRD_NUM_LEAKY_BUCKETS); + goto failed; + } for (i = 0; i < seqhdr->advanced.hrd_param.hrd_num_leaky_buckets; i++) - READ_UINT8 (&br, entrypoint->hrd_full[MAX_HRD_NUM_LEAKY_BUCKETS], 8); + READ_UINT8 (&br, entrypoint->hrd_full[i], 8); } READ_UINT8 (&br, entrypoint->coded_size_flag, 1);