Commit 9726aaf7 authored by Sebastian Dröge's avatar Sebastian Dröge 🍵 Committed by Tim-Philipp Müller
Browse files

rmdemux: Make sure we have enough data available when parsing audio/video packets

Otherwise there will be out-of-bounds reads and potential crashes.

Thanks to Natalie Silvanovich for reporting.

Fixes #37

Part-of: <!75>
parent 555ecf28
Pipeline #284184 waiting for manual action with stages
in 53 seconds
This commit is part of merge request !75. Comments created here will be created in the context of that merge request.
......@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
gst_buffer_map (in, &map, GST_MAP_READ);
if (map.size < offset)
goto not_enough_data;
data = map.data + offset;
size = map.size - offset;
......@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
}
GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
if (map.size < (data - map.data) + fragment_size)
goto not_enough_data;
/* get the fragment */
fragment =
gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
......@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
GstFlowReturn ret;
GstBuffer *buffer;
if (gst_buffer_get_size (in) < offset)
goto not_enough_data;
buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
......@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
ret = gst_pad_push (stream->pad, buffer);
}
done:
gst_buffer_unref (in);
return ret;
/* ERRORS */
not_enough_data:
{
GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
(NULL));
ret = GST_FLOW_OK;
goto done;
}
}
static GstFlowReturn
......@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
data = map.data;
size = map.size;
if (size < 4 + 6 + 1 + 2)
goto not_enough_data;
/* stream number */
id = RMDEMUX_GUINT16_GET (data);
......@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
/* version 1 has an extra byte */
if (version == 1) {
if (size < 1)
goto not_enough_data;
data += 1;
size -= 1;
}
......@@ -2596,6 +2621,16 @@ unknown_stream:
gst_buffer_unref (in);
return GST_FLOW_OK;
}
/* ERRORS */
not_enough_data:
{
GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
(NULL));
gst_buffer_unmap (in, &map);
gst_buffer_unref (in);
return GST_FLOW_OK;
}
}
gboolean
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment