Commit 0d14819e authored by Edward Hervey's avatar Edward Hervey 🤘 Committed by Edward Hervey

oggdemux: Handle invalid-sized packets

On invalid packets there is the possibility we might end up wanting
to trim/offset more than what is available.

oss-fuzz issue #5866
parent dbae1977
......@@ -778,7 +778,9 @@ gst_ogg_demux_chain_peer (GstOggPad * pad, ogg_packet * packet,
pad->prev_granule = pad->current_granule;
}
if (pad->map.is_ogm_text) {
if (G_UNLIKELY (offset + trim > packet->bytes))
goto invalid_packet;
else if (pad->map.is_ogm_text) {
/* check for invalid buffer sizes */
if (G_UNLIKELY (offset + trim >= packet->bytes))
goto empty_packet;
......@@ -901,6 +903,12 @@ empty_packet:
goto done;
}
invalid_packet:
{
GST_DEBUG_OBJECT (ogg, "Skipping invalid packet");
goto done;
}
no_timestamp:
{
GST_DEBUG_OBJECT (ogg, "skipping packet: no valid granule found yet");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment