From f78e038f9ff405251165a3a01b07b3e807ff87bb Mon Sep 17 00:00:00 2001 From: phintuka Date: Mon, 1 Aug 2011 12:19:34 +0000 Subject: demux_ts: Fixed reading outside of buffer. Checking if pes header length == 6 is not enough ; anything less than 9 is invalid (header length byte at [8] can't be used if it is outside of buffer). Moved check to beginning of parse_pes_header() to avoid reading outside of buffer. --- xine/BluRay/demux_ts.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/xine/BluRay/demux_ts.c b/xine/BluRay/demux_ts.c index 9e87bb7a..c101500b 100644 --- a/xine/BluRay/demux_ts.c +++ b/xine/BluRay/demux_ts.c @@ -753,6 +753,12 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m, uint32_t stream_id; int pkt_len; + if (packet_len < 9) { + xprintf (xine, XINE_VERBOSITY_DEBUG, + "demux_ts: too short PES packet header (%d bytes)\n", packet_len); + return 0; + } + p = buf; pkt_len = packet_len; @@ -768,13 +774,6 @@ static int demux_ts_parse_pes_header (xine_t *xine, demux_ts_media *m, /* packet_len = p[4] << 8 | p[5]; */ stream_id = p[3]; - if (packet_len==0) - { - xprintf (xine, XINE_VERBOSITY_DEBUG, - "demux_ts: error pes length 0\n"); - return 0; - } - #ifdef TS_LOG printf ("demux_ts: packet stream id: %.2x len: %d (%x)\n", stream_id, packet_len, packet_len); -- cgit v1.2.3