Browse code
avformat/mpegts: Check desc_len / get8() return code
Fixes out of array read
Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/10/04 11:29:40Showing 1 changed files
| ... | ... |
@@ -1882,7 +1882,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len |
| 1882 | 1882 |
break; |
| 1883 | 1883 |
desc_len = get8(&p, desc_list_end); |
| 1884 | 1884 |
desc_end = p + desc_len; |
| 1885 |
- if (desc_end > desc_list_end) |
|
| 1885 |
+ if (desc_len < 0 || desc_end > desc_list_end) |
|
| 1886 | 1886 |
break; |
| 1887 | 1887 |
|
| 1888 | 1888 |
av_dlog(ts->stream, "tag: 0x%02x len=%d\n", |