From e62978d045d57ee9fed7598c02b9017eb974ea36 Mon Sep 17 00:00:00 2001
From: Julien Isorce <julien.isorce@gmail.com>
Date: Mon, 12 Dec 2011 14:54:00 +0100
Subject: [PATCH] mpegtsparse: check offset when retrieving table_id on
 malformed packets

---
 gst/mpegdemux/mpegtsparse.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/gst/mpegdemux/mpegtsparse.c b/gst/mpegdemux/mpegtsparse.c
index 8a33fc1efe..14372d37b0 100644
--- a/gst/mpegdemux/mpegtsparse.c
+++ b/gst/mpegdemux/mpegtsparse.c
@@ -1,7 +1,7 @@
 /*
- * mpegtsparse.c - 
+ * mpegtsparse.c -
  * Copyright (C) 2007 Alessandro Decina
- * 
+ *
  * Authors:
  *   Alessandro Decina <alessandro@nnva.org>
  *   Zaheer Abbas Merali <zaheerabbas at merali dot org>
@@ -222,11 +222,9 @@ mpegts_parse_base_init (gpointer klass)
 {
   GstElementClass *element_class = GST_ELEMENT_CLASS (klass);
 
-  gst_element_class_add_static_pad_template (element_class,
-      &sink_template);
+  gst_element_class_add_static_pad_template (element_class, &sink_template);
   gst_element_class_add_static_pad_template (element_class, &src_template);
-  gst_element_class_add_static_pad_template (element_class,
-      &program_template);
+  gst_element_class_add_static_pad_template (element_class, &program_template);
 
   gst_element_class_set_details_simple (element_class,
       "MPEG transport stream parser", "Codec/Parser",
@@ -894,6 +892,19 @@ mpegts_parse_is_psi (MpegTSParse * parse, MpegTSPacketizerPacket * packet)
     if (packet->payload_unit_start_indicator) {
       data = packet->data;
       pointer = *data++;
+      /* avoid out of range:
+       * packet->data is equal to GST_BUFFER_DATA (packet->buffer)
+       * so the data size is GST_BUFFER_SIZE (packet->buffer).
+       * 'pointer' is the offset (the next line is data += pointer)
+       * so we need to check that 'pointer' is not greater than the data size
+       * For example GST_BUFFER_SIZE (packet->buffer) is typically equal to 188
+       * So 'pointer' has to be strictly less than 188
+       */
+      if (!(pointer < GST_BUFFER_SIZE (packet->buffer))) {
+        GST_WARNING_OBJECT (parse,
+            "Wrong offset when retrieving table id: 0x%x", pointer);
+        return FALSE;
+      }
       data += pointer;
       table_id = *data;
       i = 0;