From: Edward Hervey Date: Mon, 30 Oct 2017 07:55:48 +0000 (+0100) Subject: typefind: Fix out-of-bound memory access X-Git-Tag: 1.16.2~1051 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7b5d97e9c3dbd63a07c59349660a537ec5467040;p=platform%2Fupstream%2Fgst-plugins-base.git typefind: Fix out-of-bound memory access We were not checking the proper amount of available data in several places --- diff --git a/gst/typefind/gsttypefindfunctions.c b/gst/typefind/gsttypefindfunctions.c index 4caa2fe..c9a2c75 100644 --- a/gst/typefind/gsttypefindfunctions.c +++ b/gst/typefind/gsttypefindfunctions.c @@ -1716,7 +1716,7 @@ ac3_type_find (GstTypeFind * tf, gpointer unused) * frame is followed by a second frame at the expected offset. * We could also check the two ac3 CRCs, but we don't do that right now */ while (c.offset < 1024) { - if (G_UNLIKELY (!data_scan_ctx_ensure_data (tf, &c, 5))) + if (G_UNLIKELY (!data_scan_ctx_ensure_data (tf, &c, 6))) break; if (c.data[0] == 0x0b && c.data[1] == 0x77) { @@ -3012,7 +3012,7 @@ static GstStaticCaps aiff_caps = GST_STATIC_CAPS ("audio/x-aiff"); static void aiff_type_find (GstTypeFind * tf, gpointer unused) { - const guint8 *data = gst_type_find_peek (tf, 0, 4); + const guint8 *data = gst_type_find_peek (tf, 0, 16); if (data && memcmp (data, "FORM", 4) == 0) { data += 8; @@ -3029,7 +3029,7 @@ static GstStaticCaps svx_caps = GST_STATIC_CAPS ("audio/x-svx"); static void svx_type_find (GstTypeFind * tf, gpointer unused) { - const guint8 *data = gst_type_find_peek (tf, 0, 4); + const guint8 *data = gst_type_find_peek (tf, 0, 16); if (data && memcmp (data, "FORM", 4) == 0) { data += 8; @@ -3360,7 +3360,7 @@ qt_type_find (GstTypeFind * tf, gpointer unused) if ((STRNCMP (&data[4], "ftyp", 4) == 0) && (size >= 16)) { new_offset = offset + 12; while (new_offset + 4 <= offset + size) { - data = gst_type_find_peek (tf, new_offset, 4); + data = gst_type_find_peek (tf, new_offset, 8); if (data == NULL) goto done; if (STRNCMP (&data[4], "isom", 4) == 0 ||