From 8f05e8f44979c84aaf06f0c817e76eb44b28de50 Mon Sep 17 00:00:00 2001 From: Edward Hervey Date: Fri, 25 Nov 2016 09:45:04 +0100 Subject: [PATCH] asfdemux: Add sanity checks when reading asf_stream_video_format It should report a size of at least 40 bytes Also check for the size of the remaining data (i.e. codec_data) https://bugzilla.gnome.org/show_bug.cgi?id=775070 --- gst/asfdemux/gstasfdemux.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/gst/asfdemux/gstasfdemux.c b/gst/asfdemux/gstasfdemux.c index c6d39b9..8d9dfef 100644 --- a/gst/asfdemux/gstasfdemux.c +++ b/gst/asfdemux/gstasfdemux.c @@ -2532,6 +2532,15 @@ gst_asf_demux_get_stream_video_format (asf_stream_video_format * fmt, return FALSE; fmt->size = gst_asf_demux_get_uint32 (p_data, p_size); + /* Sanity checks */ + if (fmt->size < 40) { + GST_WARNING ("Corrupted asf_stream_video_format (size < 40)"); + return FALSE; + } + if ((guint64) fmt->size - 4 > *p_size) { + GST_WARNING ("Corrupted asf_stream_video_format (codec_data is too small)"); + return FALSE; + } fmt->width = gst_asf_demux_get_uint32 (p_data, p_size); fmt->height = gst_asf_demux_get_uint32 (p_data, p_size); fmt->planes = gst_asf_demux_get_uint16 (p_data, p_size); @@ -2725,7 +2734,7 @@ gst_asf_demux_add_video_stream (GstASFDemux * demux, gchar *str; gchar *name = NULL; gchar *codec_name = NULL; - gint size_left = video->size - 40; + guint64 size_left = video->size - 40; GstBuffer *streamheader = NULL; guint par_w = 1, par_h = 1; @@ -2736,7 +2745,9 @@ gst_asf_demux_add_video_stream (GstASFDemux * demux, /* Now try some gstreamer formatted MIME types (from gst_avi_demux_strf_vids) */ if (size_left) { - GST_LOG ("Video header has %d bytes of codec specific data", size_left); + GST_LOG ("Video header has %" G_GUINT64_FORMAT + " bytes of codec specific data (vs %" G_GUINT64_FORMAT ")", size_left, + *p_size); g_assert (size_left <= *p_size); gst_asf_demux_get_buffer (&extradata, size_left, p_data, p_size); } -- 2.7.4