mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-11-30 13:41:48 +00:00
Code Issues 1 Projects Releases Wiki Activity

kate: avoid read buffer overflow in crafted stream

Browse source 
Coverity 1208777
This commit is contained in:
Vincent Penquerc'h 2014-04-30 10:05:15 +01:00
parent 56cca649d4
commit d8fb89e4e6
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
ext/kate/gstkatespu.c
View file

@ -79,7 +79,7 @@ gst_kate_spu_decode_pixaddr (GstKateEnc * ke, const guint8 * ptr)
/* heavily inspired from dvdspudec */ /* heavily inspired from dvdspudec */
static guint16 static guint16
gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr) gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr, guint16 sz)
{ {
guint16 nbytes = GST_KATE_UINT16_BE (ptr + 0); guint16 nbytes = GST_KATE_UINT16_BE (ptr + 0);
guint16 nbytes_left = nbytes; guint16 nbytes_left = nbytes;
@ -92,6 +92,12 @@ gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr)
nbytes); nbytes);
return 0; return 0;
} }
if (G_UNLIKELY (nbytes > sz)) {
GST_WARNING_OBJECT (ke,
"Number of bytes in color/contrast change command is %u, but the buffer "
"only contains %u byte(s)", nbytes, sz);
return 0;
}
ptr += 2; ptr += 2;
nbytes_left -= 2; nbytes_left -= 2;
@ -348,7 +354,7 @@ gst_kate_spu_decode_command_sequence (GstKateEnc * ke, GstBuffer * buf,
case SPU_CMD_CHG_COLCON: /* 0x07 */ case SPU_CMD_CHG_COLCON: /* 0x07 */
GST_DEBUG_OBJECT (ke, "[7] CHANGE COLOR/CONTRAST"); GST_DEBUG_OBJECT (ke, "[7] CHANGE COLOR/CONTRAST");
CHECK (2); CHECK (2);
ADVANCE (gst_kate_spu_decode_colcon (ke, ptr)); ADVANCE (gst_kate_spu_decode_colcon (ke, ptr, sz));
break; break;
case SPU_CMD_END: /* 0xff */ case SPU_CMD_END: /* 0xff */
GST_DEBUG_OBJECT (ke, "[0xff] END"); GST_DEBUG_OBJECT (ke, "[0xff] END");