From efd03cf91cbdf69178f7cc0c4817832302d3d95d Mon Sep 17 00:00:00 2001
From: Petri Hintukainen <phintuka@users.sourceforge.net>
Date: Sat, 16 Jul 2011 13:30:34 +0300
Subject: demux_ts: Fixed reading outside of buffer: check header length before
 parsing pts.

---
 src/demuxers/demux_ts.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/demuxers/demux_ts.c b/src/demuxers/demux_ts.c
index f46c5d4f2..d6d2a0cbe 100644
--- a/src/demuxers/demux_ts.c
+++ b/src/demuxers/demux_ts.c
@@ -719,6 +719,14 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m,
   packet_len -= 6;
   /* packet_len = p[4] << 8 | p[5]; */
   stream_id  = p[3];
+  header_len = p[8];
+
+  /* sometimes corruption on header_len causes segfault in memcpy below */
+  if (header_len + 9 > pkt_len) {
+    xprintf (xine, XINE_VERBOSITY_DEBUG,
+             "demux_ts: illegal value for PES_header_data_length (0x%x)\n", header_len);
+    return 0;
+  }
 
 #ifdef TS_LOG
   printf ("demux_ts: packet stream id: %.2x len: %d (%x)\n",
@@ -727,6 +735,10 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m,
 
   if (p[7] & 0x80) { /* pts avail */
 
+    if (header_len < 5) {
+      return 0;
+    }
+
     pts  = (int64_t)(p[ 9] & 0x0E) << 29 ;
     pts |=  p[10]         << 22 ;
     pts |= (p[11] & 0xFE) << 14 ;
@@ -751,15 +763,6 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m,
 
   m->pts       = pts;
 
-  header_len = p[8];
-
-  /* sometimes corruption on header_len causes segfault in memcpy below */
-  if (header_len + 9 > pkt_len) {
-    xprintf (xine, XINE_VERBOSITY_DEBUG,
-	     "demux_ts: illegal value for PES_header_data_length (0x%x)\n", header_len);
-    return 0;
-  }
-
   p += header_len + 9;
   packet_len -= header_len + 3;
 
-- 
cgit v1.2.3