dvdspu: Make sure enough data is allocated for the available data

If the size read from the stream is smaller than the currently available
data then the size is bogus and the data should simply be discarded.

Fixes ZDI-CAN-20994
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4899>

diff --git a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
index 6108de0..391bb63 100644 (file)
--- a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
+++ b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
     obj->rle_data_size = GST_READ_UINT24_BE (payload);
     payload += 3;
 
+    if (end - payload > obj->rle_data_size)
+      return 0;
+
     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
         (int) (end - payload), obj->rle_data_size);