mpegtsparse: check offset when retrieving table_id on malformed packets

This commit is contained in:
Julien Isorce 2011-12-12 14:54:00 +01:00 committed by Sebastian Dröge
parent 63110cab94
commit e62978d045

View file

@ -222,11 +222,9 @@ mpegts_parse_base_init (gpointer klass)
{
GstElementClass *element_class = GST_ELEMENT_CLASS (klass);
gst_element_class_add_static_pad_template (element_class,
&sink_template);
gst_element_class_add_static_pad_template (element_class, &sink_template);
gst_element_class_add_static_pad_template (element_class, &src_template);
gst_element_class_add_static_pad_template (element_class,
&program_template);
gst_element_class_add_static_pad_template (element_class, &program_template);
gst_element_class_set_details_simple (element_class,
"MPEG transport stream parser", "Codec/Parser",
@ -894,6 +892,19 @@ mpegts_parse_is_psi (MpegTSParse * parse, MpegTSPacketizerPacket * packet)
if (packet->payload_unit_start_indicator) {
data = packet->data;
pointer = *data++;
/* avoid out of range:
* packet->data is equal to GST_BUFFER_DATA (packet->buffer)
* so the data size is GST_BUFFER_SIZE (packet->buffer).
* 'pointer' is the offset (the next line is data += pointer)
* so we need to check that 'pointer' is not greater than the data size
* For example GST_BUFFER_SIZE (packet->buffer) is typically equal to 188
* So 'pointer' has to be strictly less than 188
*/
if (!(pointer < GST_BUFFER_SIZE (packet->buffer))) {
GST_WARNING_OBJECT (parse,
"Wrong offset when retrieving table id: 0x%x", pointer);
return FALSE;
}
data += pointer;
table_id = *data;
i = 0;