tag_data += 8;
tag_size -= 8;
- if (tag_size != len * 24)
+ if (tag_size / 24 != len)
+ goto error;
+
+ if (G_MAXINT / (24 + sizeof (guint8 *)) < len)
goto error;
self->fixed_channel_status_data =
- g_malloc0 (len * sizeof (guint8 *) + len * 24);
+ g_malloc0 (len * (sizeof (guint8 *) + 24));
for (i = 0; i < len; i++) {
self->fixed_channel_status_data[i] =
tag_data += 8;
tag_size -= 8;
- if (tag_size != len * 24)
+ if (tag_size / 24 != len)
+ goto error;
+
+ if (G_MAXINT / (24 + sizeof (guint8 *)) < len)
goto error;
- self->fixed_user_data = g_malloc0 (len * sizeof (guint8 *) + len * 24);
+ self->fixed_user_data = g_malloc0 (len * (sizeof (guint8 *) + 24));
for (i = 0; i < len; i++) {
self->fixed_user_data[i] =
start = segment->index_start_position;
end = start + segment->index_duration;
+ if (end > G_MAXINT / sizeof (GstMXFDemuxIndex)) {
+ demux->index_tables = g_list_remove (demux->index_tables, t);
+ g_array_free (t->offsets, TRUE);
+ g_free (t);
+ continue;
+ }
if (t->offsets->len < end)
g_array_set_size (t->offsets, end);
- for (i = 0; i < segment->n_index_entries; i++) {
+ for (i = 0; i < segment->n_index_entries && start + i < t->offsets->len;
+ i++) {
GstMXFDemuxIndex *index =
&g_array_index (t->offsets, GstMXFDemuxIndex, start + i);
guint64 offset = segment->index_entries[i].stream_offset;
tag_data += 8;
tag_size -= 8;
- if (tag_size < 4 * len)
+ if (tag_size / 4 < len)
goto error;
self->n_shot_track_ids = len;
d = MXF_METADATA_FILE_DESCRIPTOR (current);
for (i = 0; i < package->n_tracks; i++) {
+ if (!package->tracks[i])
+ continue;
+
if (!MXF_IS_METADATA_MULTIPLE_DESCRIPTOR (d)) {
if (d->linked_track_id == package->tracks[i]->track_id ||
(d->linked_track_id == 0 && package->n_essence_tracks == 1 &&
if (GST_READ_UINT32_BE (tag_data + 4) != 4)
goto error;
- if (tag_size < 8 + 4 * len)
- goto error;
-
tag_data += 8;
tag_size -= 8;
+ if (tag_size / 4 < len)
+ goto error;
+
self->n_track_ids = len;
self->track_ids = g_new0 (guint32, len);
if (GST_READ_UINT32_BE (tag_data + 4) != 4)
goto error;
- if (len * 4 + 8 < tag_size)
+ tag_data += 8;
+ tag_size -= 8;
+
+ if (len < tag_size / 4)
goto error;
self->n_track_ids = len;
return FALSE;
}
- if (16 * element_count < size) {
+ if (element_count > size / 16) {
*array = NULL;
*count = 0;
return FALSE;
tag_data += 4;
tag_size -= 4;
- if (tag_size < len * 6)
+ if (tag_size / 6 < len)
goto error;
segment->delta_entries = g_new (MXFDeltaEntry, len);
tag_data += 4;
tag_size -= 4;
- if (tag_size < len * 11)
+ if (tag_size / 11 < len)
goto error;
segment->index_entries = g_new0 (MXFIndexEntry, len);
g_return_if_fail (segment != NULL);
- for (i = 0; i < segment->n_index_entries; i++) {
- g_free (segment->index_entries[i].slice_offset);
- g_free (segment->index_entries[i].pos_table);
+ if (segment->index_entries) {
+ for (i = 0; i < segment->n_index_entries; i++) {
+ g_free (segment->index_entries[i].slice_offset);
+ g_free (segment->index_entries[i].pos_table);
+ }
}
g_free (segment->index_entries);
n = GST_READ_UINT32_BE (data);
data += 4;
+ size -= 4;
GST_DEBUG (" number of mappings = %u", n);
if (GST_READ_UINT32_BE (data) != 18)
goto error;
data += 4;
+ size -= 4;
- if (size < 8 + n * 18)
+ if (size / 18 < n)
goto error;
for (i = 0; i < n; i++) {
*tag = GST_READ_UINT16_BE (data);
*tag_size = GST_READ_UINT16_BE (data + 2);
- if (size < 4 + *tag_size)
+ data += 4;
+ size -= 4;
+
+ if (size < *tag_size)
return FALSE;
- *tag_data = data + 4;
+ *tag_data = data;
return TRUE;
}
return FALSE;
}
- if (16 * element_count < size) {
+ if (element_count > size / 16) {
*array = NULL;
*count = 0;
return FALSE;
projects / platform / upstream / gst-plugins-bad.git / commitdiff