From 9d322436711d6769d7ec7b0917a7b038e3591d7a Mon Sep 17 00:00:00 2001 From: Jose Antonio Santos Cadenas Date: Wed, 18 May 2011 12:36:40 +0200 Subject: [PATCH] rtp: Fix segmentation fault processing payload buffers This commit checks if the value returned by gst_rtp_buffer_get_payload_buffer and gst_rtp_buffer_get_payload_subbuffer is NULL before using it. --- gst/rtp/gstrtpac3depay.c | 5 +++-- gst/rtp/gstrtpbvdepay.c | 2 +- gst/rtp/gstrtpg722depay.c | 2 +- gst/rtp/gstrtpg726depay.c | 9 +++++++++ gst/rtp/gstrtpgsmdepay.c | 2 +- gst/rtp/gstrtpilbcdepay.c | 2 +- gst/rtp/gstrtpmp1sdepay.c | 5 +++-- gst/rtp/gstrtpmp2tdepay.c | 5 +++-- gst/rtp/gstrtpmpvdepay.c | 8 +++++--- gst/rtp/gstrtppcmadepay.c | 14 ++++++++------ gst/rtp/gstrtppcmudepay.c | 14 ++++++++------ gst/rtp/gstrtpspeexdepay.c | 3 ++- 12 files changed, 45 insertions(+), 26 deletions(-) diff --git a/gst/rtp/gstrtpac3depay.c b/gst/rtp/gstrtpac3depay.c index 2ba4cef..cb6304e 100644 --- a/gst/rtp/gstrtpac3depay.c +++ b/gst/rtp/gstrtpac3depay.c @@ -193,8 +193,9 @@ gst_rtp_ac3_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) /* We don't bother with fragmented packets yet */ outbuf = gst_rtp_buffer_get_payload_subbuffer (buf, 2, -1); - GST_DEBUG_OBJECT (rtpac3depay, "pushing buffer of size %d", - GST_BUFFER_SIZE (outbuf)); + if (outbuf) + GST_DEBUG_OBJECT (rtpac3depay, "pushing buffer of size %d", + GST_BUFFER_SIZE (outbuf)); return outbuf; } diff --git a/gst/rtp/gstrtpbvdepay.c b/gst/rtp/gstrtpbvdepay.c index 3ee660a..1957cee 100644 --- a/gst/rtp/gstrtpbvdepay.c +++ b/gst/rtp/gstrtpbvdepay.c @@ -165,7 +165,7 @@ gst_rtp_bv_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_buffer (buf); - if (marker) { + if (marker && outbuf) { /* mark start of talkspurt with DISCONT */ GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); } diff --git a/gst/rtp/gstrtpg722depay.c b/gst/rtp/gstrtpg722depay.c index 1e892fb..0815b23 100644 --- a/gst/rtp/gstrtpg722depay.c +++ b/gst/rtp/gstrtpg722depay.c @@ -236,7 +236,7 @@ gst_rtp_g722_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_buffer (buf); marker = gst_rtp_buffer_get_marker (buf); - if (marker) { + if (marker && outbuf) { /* mark talk spurt with DISCONT */ GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); } diff --git a/gst/rtp/gstrtpg726depay.c b/gst/rtp/gstrtpg726depay.c index 2b36755..33247d0 100644 --- a/gst/rtp/gstrtpg726depay.c +++ b/gst/rtp/gstrtpg726depay.c @@ -222,6 +222,8 @@ gst_rtp_g726_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) if (depay->aal2 || depay->force_aal2) { /* AAL2, we can just copy the bytes */ outbuf = gst_rtp_buffer_get_payload_buffer (buf); + if (!outbuf) + goto bad_len; } else { guint8 *in, *out, tmp; guint len; @@ -239,6 +241,10 @@ gst_rtp_g726_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_buffer (copy); gst_buffer_unref (copy); } + + if (!outbuf) + goto bad_len; + out = GST_BUFFER_DATA (outbuf); /* we need to reshuffle the bytes, input is always of the form @@ -335,6 +341,9 @@ gst_rtp_g726_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) } return outbuf; + +bad_len: + return NULL; } static void diff --git a/gst/rtp/gstrtpgsmdepay.c b/gst/rtp/gstrtpgsmdepay.c index bb62c50..ca54ea8 100644 --- a/gst/rtp/gstrtpgsmdepay.c +++ b/gst/rtp/gstrtpgsmdepay.c @@ -136,7 +136,7 @@ gst_rtp_gsm_depay_process (GstBaseRTPDepayload * _depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_buffer (buf); - if (marker) { + if (marker && outbuf) { /* mark start of talkspurt with DISCONT */ GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); } diff --git a/gst/rtp/gstrtpilbcdepay.c b/gst/rtp/gstrtpilbcdepay.c index 18ca426..d5465c2 100644 --- a/gst/rtp/gstrtpilbcdepay.c +++ b/gst/rtp/gstrtpilbcdepay.c @@ -188,7 +188,7 @@ gst_rtp_ilbc_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_buffer (buf); - if (marker) { + if (marker && outbuf) { /* mark start of talkspurt with DISCONT */ GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); } diff --git a/gst/rtp/gstrtpmp1sdepay.c b/gst/rtp/gstrtpmp1sdepay.c index 4887c4c..b7063d6 100644 --- a/gst/rtp/gstrtpmp1sdepay.c +++ b/gst/rtp/gstrtpmp1sdepay.c @@ -131,8 +131,9 @@ gst_rtp_mp1s_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_buffer (buf); - GST_DEBUG ("gst_rtp_mp1s_depay_chain: pushing buffer of size %d", - GST_BUFFER_SIZE (outbuf)); + if (outbuf) + GST_DEBUG ("gst_rtp_mp1s_depay_chain: pushing buffer of size %d", + GST_BUFFER_SIZE (outbuf)); return outbuf; } diff --git a/gst/rtp/gstrtpmp2tdepay.c b/gst/rtp/gstrtpmp2tdepay.c index fe6c5de..4f5e720 100644 --- a/gst/rtp/gstrtpmp2tdepay.c +++ b/gst/rtp/gstrtpmp2tdepay.c @@ -169,8 +169,9 @@ gst_rtp_mp2t_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) gst_rtp_buffer_get_payload_subbuffer (buf, rtpmp2tdepay->skip_first_bytes, -1); - GST_DEBUG ("gst_rtp_mp2t_depay_chain: pushing buffer of size %d", - GST_BUFFER_SIZE (outbuf)); + if (outbuf) + GST_DEBUG ("gst_rtp_mp2t_depay_chain: pushing buffer of size %d", + GST_BUFFER_SIZE (outbuf)); return outbuf; diff --git a/gst/rtp/gstrtpmpvdepay.c b/gst/rtp/gstrtpmpvdepay.c index f978604..1dea394 100644 --- a/gst/rtp/gstrtpmpvdepay.c +++ b/gst/rtp/gstrtpmpvdepay.c @@ -176,9 +176,11 @@ gst_rtp_mpv_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) outbuf = gst_rtp_buffer_get_payload_subbuffer (buf, payload_header, -1); - GST_DEBUG_OBJECT (rtpmpvdepay, - "gst_rtp_mpv_depay_chain: pushing buffer of size %d", - GST_BUFFER_SIZE (outbuf)); + if (outbuf) { + GST_DEBUG_OBJECT (rtpmpvdepay, + "gst_rtp_mpv_depay_chain: pushing buffer of size %d", + GST_BUFFER_SIZE (outbuf)); + } return outbuf; } diff --git a/gst/rtp/gstrtppcmadepay.c b/gst/rtp/gstrtppcmadepay.c index 35fc0a9..7dabc80 100644 --- a/gst/rtp/gstrtppcmadepay.c +++ b/gst/rtp/gstrtppcmadepay.c @@ -143,12 +143,14 @@ gst_rtp_pcma_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) len = gst_rtp_buffer_get_payload_len (buf); outbuf = gst_rtp_buffer_get_payload_buffer (buf); - GST_BUFFER_DURATION (outbuf) = - gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate); - - if (marker) { - /* mark start of talkspurt with DISCONT */ - GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); + if (outbuf) { + GST_BUFFER_DURATION (outbuf) = + gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate); + + if (marker) { + /* mark start of talkspurt with DISCONT */ + GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); + } } return outbuf; diff --git a/gst/rtp/gstrtppcmudepay.c b/gst/rtp/gstrtppcmudepay.c index fd1f1e5..0b7e56d 100644 --- a/gst/rtp/gstrtppcmudepay.c +++ b/gst/rtp/gstrtppcmudepay.c @@ -143,12 +143,14 @@ gst_rtp_pcmu_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) len = gst_rtp_buffer_get_payload_len (buf); outbuf = gst_rtp_buffer_get_payload_buffer (buf); - GST_BUFFER_DURATION (outbuf) = - gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate); - - if (marker) { - /* mark start of talkspurt with DISCONT */ - GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); + if (outbuf) { + GST_BUFFER_DURATION (outbuf) = + gst_util_uint64_scale_int (len, GST_SECOND, depayload->clock_rate); + + if (marker) { + /* mark start of talkspurt with DISCONT */ + GST_BUFFER_FLAG_SET (outbuf, GST_BUFFER_FLAG_DISCONT); + } } return outbuf; diff --git a/gst/rtp/gstrtpspeexdepay.c b/gst/rtp/gstrtpspeexdepay.c index 10dea1a..87e8a77 100644 --- a/gst/rtp/gstrtpspeexdepay.c +++ b/gst/rtp/gstrtpspeexdepay.c @@ -212,7 +212,8 @@ gst_rtp_speex_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) /* nothing special to be done */ outbuf = gst_rtp_buffer_get_payload_buffer (buf); - GST_BUFFER_DURATION (outbuf) = 20 * GST_MSECOND; + if (outbuf) + GST_BUFFER_DURATION (outbuf) = 20 * GST_MSECOND; return outbuf; } -- 2.7.4