demux_ts: Fixed reading outside of buffer: check header length before

parsing pts.

1 files changed, 12 insertions, 9 deletions

diff --git a/xine/BluRay/demux_ts.c b/xine/BluRay/demux_ts.c
index c101500b..8500cfb1 100644
--- a/xine/BluRay/demux_ts.c
+++ b/xine/BluRay/demux_ts.c
@@ -773,6 +773,14 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m,
   packet_len -= 6;
   /* packet_len = p[4] << 8 | p[5]; */
   stream_id  = p[3];
+  header_len = p[8];
+
+  /* sometimes corruption on header_len causes segfault in memcpy below */
+  if (header_len + 9 > pkt_len) {
+    xprintf (xine, XINE_VERBOSITY_DEBUG,
+             "demux_ts: illegal value for PES_header_data_length (0x%x)\n", header_len);
+    return 0;
+  }
 
 #ifdef TS_LOG
   printf ("demux_ts: packet stream id: %.2x len: %d (%x)\n",
@@ -781,6 +789,10 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m,
 
   if (p[7] & 0x80) { /* pts avail */
 
+    if (header_len < 5) {
+      return 0;
+    }
+
     pts  = (int64_t)(p[ 9] & 0x0E) << 29 ;
     pts |=  p[10]         << 22 ;
     pts |= (p[11] & 0xFE) << 14 ;
@@ -805,15 +817,6 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m,
 
   m->pts       = pts;
 
-  header_len = p[8];
-
-  /* sometimes corruption on header_len causes segfault in memcpy below */
-  if (header_len + 9 > pkt_len) {
-    xprintf (xine, XINE_VERBOSITY_DEBUG,
-	     "demux_ts: illegal value for PES_header_data_length (0x%x)\n", header_len);
-    return 0;
-  }
-
   p += header_len + 9;
   packet_len -= header_len + 3;