rtp: Fix segmentation fault processing payload buffers

This commit checks if the value returned by
gst_rtp_buffer_get_payload_buffer and
gst_rtp_buffer_get_payload_subbuffer is NULL before using it.

diff --git a/gst/rtp/gstrtpac3depay.c b/gst/rtp/gstrtpac3depay.c
index 2ba4cef..cb6304e 100644 (file)
--- a/gst/rtp/gstrtpac3depay.c
+++ b/gst/rtp/gstrtpac3depay.c
@@ -193,8 +193,9 @@ gst_rtp_ac3_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
     /* We don't bother with fragmented packets yet */
     outbuf = gst_rtp_buffer_get_payload_subbuffer (buf, 2, -1);
 
-    GST_DEBUG_OBJECT (rtpac3depay, "pushing buffer of size %d",
-        GST_BUFFER_SIZE (outbuf));
+    if (outbuf)
+        GST_DEBUG_OBJECT (rtpac3depay, "pushing buffer of size %d",
+            GST_BUFFER_SIZE (outbuf));
 
     return outbuf;
   }

diff --git a/gst/rtp/gstrtpbvdepay.c b/gst/rtp/gstrtpbvdepay.c
index 3ee660a..1957cee 100644 (file)
--- a/gst/rtp/gstrtpbvdepay.c
+++ b/gst/rtp/gstrtpbvdepay.c
@@ -165,7 +165,7 @@ gst_rtp_bv_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
 
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  if (marker) {
+  if (marker && outbuf) {
     /* mark start of talkspurt with DISCONT */
     GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
   }

diff --git a/gst/rtp/gstrtpg722depay.c b/gst/rtp/gstrtpg722depay.c
index 1e892fb..0815b23 100644 (file)
--- a/gst/rtp/gstrtpg722depay.c
+++ b/gst/rtp/gstrtpg722depay.c
@@ -236,7 +236,7 @@ gst_rtp_g722_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
   marker = gst_rtp_buffer_get_marker (buf);
 
-  if (marker) {
+  if (marker && outbuf) {
     /* mark talk spurt with DISCONT */
     GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
   }

diff --git a/gst/rtp/gstrtpg726depay.c b/gst/rtp/gstrtpg726depay.c
index 2b36755..33247d0 100644 (file)
--- a/gst/rtp/gstrtpg726depay.c
+++ b/gst/rtp/gstrtpg726depay.c
@@ -222,6 +222,8 @@ gst_rtp_g726_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
   if (depay->aal2 || depay->force_aal2) {
     /* AAL2, we can just copy the bytes */
     outbuf = gst_rtp_buffer_get_payload_buffer (buf);
+    if (!outbuf)
+      goto bad_len;
   } else {
     guint8 *in, *out, tmp;
     guint len;
@@ -239,6 +241,10 @@ gst_rtp_g726_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
       outbuf = gst_rtp_buffer_get_payload_buffer (copy);
       gst_buffer_unref (copy);
     }
+
+    if (!outbuf)
+      goto bad_len;
+
     out = GST_BUFFER_DATA (outbuf);
 
     /* we need to reshuffle the bytes, input is always of the form
@@ -335,6 +341,9 @@ gst_rtp_g726_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
   }
 
   return outbuf;
+
+bad_len:
+  return NULL;
 }
 
 static void

diff --git a/gst/rtp/gstrtpgsmdepay.c b/gst/rtp/gstrtpgsmdepay.c
index bb62c50..ca54ea8 100644 (file)
--- a/gst/rtp/gstrtpgsmdepay.c
+++ b/gst/rtp/gstrtpgsmdepay.c
@@ -136,7 +136,7 @@ gst_rtp_gsm_depay_process (GstBaseRTPDepayload * _depayload, GstBuffer * buf)
 
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  if (marker) {
+  if (marker && outbuf) {
     /* mark start of talkspurt with DISCONT */
     GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
   }

diff --git a/gst/rtp/gstrtpilbcdepay.c b/gst/rtp/gstrtpilbcdepay.c
index 18ca426..d5465c2 100644 (file)
--- a/gst/rtp/gstrtpilbcdepay.c
+++ b/gst/rtp/gstrtpilbcdepay.c
@@ -188,7 +188,7 @@ gst_rtp_ilbc_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
 
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  if (marker) {
+  if (marker && outbuf) {
     /* mark start of talkspurt with DISCONT */
     GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
   }

diff --git a/gst/rtp/gstrtpmp1sdepay.c b/gst/rtp/gstrtpmp1sdepay.c
index 4887c4c..b7063d6 100644 (file)
--- a/gst/rtp/gstrtpmp1sdepay.c
+++ b/gst/rtp/gstrtpmp1sdepay.c
@@ -131,8 +131,9 @@ gst_rtp_mp1s_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
 
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  GST_DEBUG ("gst_rtp_mp1s_depay_chain: pushing buffer of size %d",
-      GST_BUFFER_SIZE (outbuf));
+  if (outbuf)
+    GST_DEBUG ("gst_rtp_mp1s_depay_chain: pushing buffer of size %d",
+        GST_BUFFER_SIZE (outbuf));
 
   return outbuf;
 }

diff --git a/gst/rtp/gstrtpmp2tdepay.c b/gst/rtp/gstrtpmp2tdepay.c
index fe6c5de..4f5e720 100644 (file)
--- a/gst/rtp/gstrtpmp2tdepay.c
+++ b/gst/rtp/gstrtpmp2tdepay.c
@@ -169,8 +169,9 @@ gst_rtp_mp2t_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
       gst_rtp_buffer_get_payload_subbuffer (buf, rtpmp2tdepay->skip_first_bytes,
       -1);
 
-  GST_DEBUG ("gst_rtp_mp2t_depay_chain: pushing buffer of size %d",
-      GST_BUFFER_SIZE (outbuf));
+  if (outbuf)
+    GST_DEBUG ("gst_rtp_mp2t_depay_chain: pushing buffer of size %d",
+        GST_BUFFER_SIZE (outbuf));
 
   return outbuf;
 

diff --git a/gst/rtp/gstrtpmpvdepay.c b/gst/rtp/gstrtpmpvdepay.c
index f978604..1dea394 100644 (file)
--- a/gst/rtp/gstrtpmpvdepay.c
+++ b/gst/rtp/gstrtpmpvdepay.c
@@ -176,9 +176,11 @@ gst_rtp_mpv_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
 
     outbuf = gst_rtp_buffer_get_payload_subbuffer (buf, payload_header, -1);
 
-    GST_DEBUG_OBJECT (rtpmpvdepay,
-        "gst_rtp_mpv_depay_chain: pushing buffer of size %d",
-        GST_BUFFER_SIZE (outbuf));
+    if (outbuf) {
+      GST_DEBUG_OBJECT (rtpmpvdepay,
+          "gst_rtp_mpv_depay_chain: pushing buffer of size %d",
+          GST_BUFFER_SIZE (outbuf));
+    }
 
     return outbuf;
   }

diff --git a/gst/rtp/gstrtppcmadepay.c b/gst/rtp/gstrtppcmadepay.c
index 35fc0a9..7dabc80 100644 (file)
--- a/gst/rtp/gstrtppcmadepay.c
+++ b/gst/rtp/gstrtppcmadepay.c
@@ -143,12 +143,14 @@ gst_rtp_pcma_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
   len = gst_rtp_buffer_get_payload_len (buf);
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  GST_BUFFER_DURATION (outbuf) =
-      gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate);
-
-  if (marker) {
-    /* mark start of talkspurt with DISCONT */
-    GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
+  if (outbuf) {
+    GST_BUFFER_DURATION (outbuf) =
+        gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate);
+
+    if (marker) {
+      /* mark start of talkspurt with DISCONT */
+      GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
+    }
   }
 
   return outbuf;

diff --git a/gst/rtp/gstrtppcmudepay.c b/gst/rtp/gstrtppcmudepay.c
index fd1f1e5..0b7e56d 100644 (file)
--- a/gst/rtp/gstrtppcmudepay.c
+++ b/gst/rtp/gstrtppcmudepay.c
@@ -143,12 +143,14 @@ gst_rtp_pcmu_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
   len = gst_rtp_buffer_get_payload_len (buf);
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  GST_BUFFER_DURATION (outbuf) =
-      gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate);
-
-  if (marker) {
-    /* mark start of talkspurt with DISCONT */
-    GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
+  if (outbuf) {
+    GST_BUFFER_DURATION (outbuf) =
+        gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate);
+
+    if (marker) {
+      /* mark start of talkspurt with DISCONT */
+      GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT);
+    }
   }
 
   return outbuf;

diff --git a/gst/rtp/gstrtpspeexdepay.c b/gst/rtp/gstrtpspeexdepay.c
index 10dea1a..87e8a77 100644 (file)
--- a/gst/rtp/gstrtpspeexdepay.c
+++ b/gst/rtp/gstrtpspeexdepay.c
@@ -212,7 +212,8 @@ gst_rtp_speex_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
   /* nothing special to be done */
   outbuf = gst_rtp_buffer_get_payload_buffer (buf);
 
-  GST_BUFFER_DURATION (outbuf) = 20 * GST_MSECOND;
+  if (outbuf)
+    GST_BUFFER_DURATION (outbuf) = 20 * GST_MSECOND;
 
   return outbuf;
 }