From: Olivier Crete Date: Sat, 8 Mar 2008 04:21:34 +0000 (+0000) Subject: gst/rtp/gstrtph263pdepay.c: Check that a buffer is large enough before reading from it. X-Git-Tag: RELEASE-0_10_8~78 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c7296fe79a7e2f05d33f9ad5cb5b136150a1f710;p=platform%2Fupstream%2Fgst-plugins-good.git gst/rtp/gstrtph263pdepay.c: Check that a buffer is large enough before reading from it. Original commit message from CVS: Patch by: Olivier Crete * gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process): Check that a buffer is large enough before reading from it. Fixes bug #521102. --- diff --git a/ChangeLog b/ChangeLog index dc25136..71f846b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2008-03-08 Sebastian Dröge + + Patch by: Olivier Crete + + * gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process): + Check that a buffer is large enough before reading from it. + Fixes bug #521102. + 2008-03-07 Wim Taymans * gst/udp/gstudpsrc.c: (gst_udpsrc_start): diff --git a/common b/common index e02bd43..170f8e9 160000 --- a/common +++ b/common @@ -1 +1 @@ -Subproject commit e02bd43fe6b9e45536eccbf5b7a5f9eae62030fd +Subproject commit 170f8e91adc7157f6e708ffa58ca22d10e4e45da diff --git a/gst/rtp/gstrtph263pdepay.c b/gst/rtp/gstrtph263pdepay.c index 082d26f..7d77573 100644 --- a/gst/rtp/gstrtph263pdepay.c +++ b/gst/rtp/gstrtph263pdepay.c @@ -265,6 +265,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) header_len = 2; + if (payload_len < header_len) + goto bad_packet; + M = gst_rtp_buffer_get_marker (buf); /* 0 1 @@ -285,6 +288,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) header_len += PLEN; } + if ((!P && payload_len < header_len) || (P && payload_len < header_len - 2)) + goto bad_packet; + if (P) { rtph263pdepay->wait_start = FALSE; header_len -= 2;