gst/rtp/gstrtph263pdepay.c: Check that a buffer is large enough before reading from it.

Original commit message from CVS:
Patch by: Olivier Crete <tester at tester dot ca>
* gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process):
Check that a buffer is large enough before reading from it.
Fixes bug #521102.

diff --git a/ChangeLog b/ChangeLog
index dc25136..71f846b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2008-03-08  Sebastian Dröge  <slomo@circular-chaos.org>
+
+       Patch by: Olivier Crete <tester at tester dot ca>
+
+       * gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process):
+       Check that a buffer is large enough before reading from it.
+       Fixes bug #521102.
+       
 2008-03-07  Wim Taymans  <wim.taymans@collabora.co.uk>
 
        * gst/udp/gstudpsrc.c: (gst_udpsrc_start):

diff --git a/common b/common
index e02bd43..170f8e9 160000 (submodule)
--- a/common
+++ b/common
@@ -1 +1 @@
-Subproject commit e02bd43fe6b9e45536eccbf5b7a5f9eae62030fd
+Subproject commit 170f8e91adc7157f6e708ffa58ca22d10e4e45da

diff --git a/gst/rtp/gstrtph263pdepay.c b/gst/rtp/gstrtph263pdepay.c
index 082d26f..7d77573 100644 (file)
--- a/gst/rtp/gstrtph263pdepay.c
+++ b/gst/rtp/gstrtph263pdepay.c
@@ -265,6 +265,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
 
     header_len = 2;
 
+    if (payload_len < header_len)
+      goto bad_packet;
+
     M = gst_rtp_buffer_get_marker (buf);
 
     /*  0                   1
@@ -285,6 +288,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf)
       header_len += PLEN;
     }
 
+    if ((!P && payload_len < header_len) || (P && payload_len < header_len - 2))
+      goto bad_packet;
+
     if (P) {
       rtph263pdepay->wait_start = FALSE;
       header_len -= 2;