From dc086c7f3808b2da888f2e496edd7fef69b038c0 Mon Sep 17 00:00:00 2001
From: Petri Hintukainen <phintuka@users.sourceforge.net>
Date: Tue, 2 Aug 2011 15:42:21 +0300
Subject: demux_ts: added buffer size checks to adaptation field parsing

---
 src/demuxers/demux_ts.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/demuxers/demux_ts.c b/src/demuxers/demux_ts.c
index 52b07a437..d5af1615e 100644
--- a/src/demuxers/demux_ts.c
+++ b/src/demuxers/demux_ts.c
@@ -1806,6 +1806,9 @@ static int64_t demux_ts_adaptation_field_parse(uint8_t *data,
   }
 #endif
   if(PCR_flag) {
+    if (adaptation_field_length < offset + 6)
+      return 0;
+
     PCR  = (((int64_t) data[offset]) & 0xFF) << 25;
     PCR += (int64_t) ((data[offset+1] & 0xFF) << 17);
     PCR += (int64_t) ((data[offset+2] & 0xFF) << 9);
@@ -1820,6 +1823,9 @@ static int64_t demux_ts_adaptation_field_parse(uint8_t *data,
     offset+=6;
   }
   if(OPCR_flag) {
+    if (adaptation_field_length < offset + 6)
+      return PCR;
+
     OPCR = data[offset] << 25;
     OPCR |= data[offset+1] << 17;
     OPCR |= data[offset+2] << 9;
-- 
cgit v1.2.3