mpegtsdemux: fix possible read beyond end of buffer when resyncing

author Tim-Philipp Müller <tim@centricular.net>

Tue, 27 Aug 2013 16:05:44 +0000 (17:05 +0100)

committer Tim-Philipp Müller <tim@centricular.net>

Tue, 27 Aug 2013 16:05:44 +0000 (17:05 +0100)
author Tim-Philipp Müller <tim@centricular.net>
Tue, 27 Aug 2013 16:05:44 +0000 (17:05 +0100)
committer Tim-Philipp Müller <tim@centricular.net>
Tue, 27 Aug 2013 16:05:44 +0000 (17:05 +0100)
diff --git a/gst/mpegtsdemux/mpegtspacketizer.c b/gst/mpegtsdemux/mpegtspacketizer.c

index 6f21bb5..a64fd00 100644 (file)
--- a/gst/mpegtsdemux/mpegtspacketizer.c
+++ b/gst/mpegtsdemux/mpegtspacketizer.c
@@ -800,7 +800,7 @@ mpegts_packetizer_next_packet (MpegTSPacketizer2 * packetizer,
      GST_LOG ("Lost sync %d", packet_size);
  
      /* Find the 0x47 in the buffer (and require at least 2 checks) */
-    for (; sync_offset < priv->mapped_size + 2 * packet_size; sync_offset++)
+    for (; sync_offset + 2 * packet_size < priv->mapped_size; sync_offset++)
        if (priv->mapped[sync_offset] == 0x47 &&
            priv->mapped[sync_offset + packet_size] == 0x47 &&
            priv->mapped[sync_offset + 2 * packet_size] == 0x47)
author	Tim-Philipp Müller <tim@centricular.net>
	Tue, 27 Aug 2013 16:05:44 +0000 (17:05 +0100)
committer	Tim-Philipp Müller <tim@centricular.net>
	Tue, 27 Aug 2013 16:05:44 +0000 (17:05 +0100)