From c7296fe79a7e2f05d33f9ad5cb5b136150a1f710 Mon Sep 17 00:00:00 2001 From: Olivier Crete Date: Sat, 8 Mar 2008 04:21:34 +0000 Subject: [PATCH] gst/rtp/gstrtph263pdepay.c: Check that a buffer is large enough before reading from it. Original commit message from CVS: Patch by: Olivier Crete * gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process): Check that a buffer is large enough before reading from it. Fixes bug #521102. --- ChangeLog | 8 ++++++++ common | 2 +- gst/rtp/gstrtph263pdepay.c | 6 ++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index dc25136..71f846b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2008-03-08 Sebastian Dröge + + Patch by: Olivier Crete + + * gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process): + Check that a buffer is large enough before reading from it. + Fixes bug #521102. + 2008-03-07 Wim Taymans * gst/udp/gstudpsrc.c: (gst_udpsrc_start): diff --git a/common b/common index e02bd43..170f8e9 160000 --- a/common +++ b/common @@ -1 +1 @@ -Subproject commit e02bd43fe6b9e45536eccbf5b7a5f9eae62030fd +Subproject commit 170f8e91adc7157f6e708ffa58ca22d10e4e45da diff --git a/gst/rtp/gstrtph263pdepay.c b/gst/rtp/gstrtph263pdepay.c index 082d26f..7d77573 100644 --- a/gst/rtp/gstrtph263pdepay.c +++ b/gst/rtp/gstrtph263pdepay.c @@ -265,6 +265,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) header_len = 2; + if (payload_len < header_len) + goto bad_packet; + M = gst_rtp_buffer_get_marker (buf); /* 0 1 @@ -285,6 +288,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) header_len += PLEN; } + if ((!P && payload_len < header_len) || (P && payload_len < header_len - 2)) + goto bad_packet; + if (P) { rtph263pdepay->wait_start = FALSE; header_len -= 2; -- 2.7.4