Message ID | 20210915125811.12314-1-nicolas.dato@gmail.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,v3] avformat/mpegts: fixes overflow when parsing the PMT | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
On Wed, 15 Sep 2021, Nicolas Jorge Dato wrote: > When a possible overflow was detected, there was a break > to exit the while loop. > However, it should have already substracted 2 bytes from > program_info_length (descriptor ID + length). > Ticket #9422 Thanks, applied. Regards, Marton > --- > libavformat/mpegts.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c > index fe89d4fb9f..f4e95d21fd 100644 > --- a/libavformat/mpegts.c > +++ b/libavformat/mpegts.c > @@ -2346,10 +2346,11 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len > > av_log(ts->stream, AV_LOG_TRACE, "program tag: 0x%02x len=%d\n", tag, len); > > - if (len > program_info_length - 2) > + program_info_length -= 2; > + if (len > program_info_length) > // something else is broken, exit the program_descriptors_loop > break; > - program_info_length -= len + 2; > + program_info_length -= len; > if (tag == IOD_DESCRIPTOR) { > get8(&p, p_end); // scope > get8(&p, p_end); // label > -- > 2.33.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index fe89d4fb9f..f4e95d21fd 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2346,10 +2346,11 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len av_log(ts->stream, AV_LOG_TRACE, "program tag: 0x%02x len=%d\n", tag, len); - if (len > program_info_length - 2) + program_info_length -= 2; + if (len > program_info_length) // something else is broken, exit the program_descriptors_loop break; - program_info_length -= len + 2; + program_info_length -= len; if (tag == IOD_DESCRIPTOR) { get8(&p, p_end); // scope get8(&p, p_end); // label