From 0642ef94edb64507d80071803908a2c318052e32 Mon Sep 17 00:00:00 2001 From: Petri Hintukainen Date: Fri, 22 Jul 2011 17:03:47 +0300 Subject: demux_ts: Added buffer size checks. Make sure buffer size is not set to negative value (that results writing out of buffer when buffering payload). Check buffer size before checking substream header bytes. --- src/demuxers/demux_ts.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/demuxers/demux_ts.c b/src/demuxers/demux_ts.c index 0fd3a1299..4affa3b2c 100644 --- a/src/demuxers/demux_ts.c +++ b/src/demuxers/demux_ts.c @@ -801,7 +801,7 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m, return 1; } else if((m->descriptor_tag == STREAM_AUDIO_AC3) || /* ac3 - raw */ - (p[0] == 0x0B && p[1] == 0x77)) { /* ac3 - syncword */ + (packet_len > 1 && p[0] == 0x0B && p[1] == 0x77)) { /* ac3 - syncword */ m->content = p; m->size = packet_len; m->type |= BUF_AUDIO_A52; @@ -821,8 +821,15 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m, m->type |= BUF_AUDIO_DTS; return 1; + } else if (packet_len < 2) { + return 0; + } else if (m->descriptor_tag == HDMV_AUDIO_80_PCM) { + if (packet_len < 4) { + return 0; + } + m->content = p + 4; m->size = packet_len - 4; m->type |= BUF_AUDIO_LPCM_BE; @@ -852,6 +859,10 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m, return 1; } else if ((p[0] & 0xF0) == 0x80) { + if (packet_len < 4) { + return 0; + } + m->content = p+4; m->size = packet_len - 4; m->type |= BUF_AUDIO_A52; @@ -868,6 +879,10 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m, } } + if (packet_len < pcm_offset) { + return 0; + } + m->content = p+pcm_offset; m->size = packet_len-pcm_offset; m->type |= BUF_AUDIO_LPCM_BE; -- cgit v1.2.3