[FFmpeg-cvslog] mpegts: Do not try to write a PMT larger than SECTION_SIZE

Luca Barbato git at videolan.org
Tue Aug 12 19:22:04 CEST 2014


ffmpeg | branch: release/0.10 | Luca Barbato <lu_zero at gentoo.org> | Thu Aug  7 17:10:32 2014 +0200| [ebe2292eafa7cac71dcdddb865e18c05635fe117] | committer: Luca Barbato

mpegts: Do not try to write a PMT larger than SECTION_SIZE

Prevent out of array write.

Similar to what Michael Niedermayer did to address the same issue.

Bug-Id: CVE-2014-2263
CC: libav-stable at libav.org
(cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ebe2292eafa7cac71dcdddb865e18c05635fe117
---

 libavformat/mpegtsenc.c |   24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 87cf726..91b6758 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -237,7 +237,7 @@ static void mpegts_write_pat(AVFormatContext *s)
 static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
 {
     uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
-    int val, stream_type, i;
+    int val, stream_type, i, err = 0;
 
     q = data;
     put16(&q, 0xe000 | service->pcr_pid);
@@ -255,6 +255,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
         AVStream *st = s->streams[i];
         MpegTSWriteStream *ts_st = st->priv_data;
         AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL,0);
+
+        if (q - data > SECTION_LENGTH - 3 - 2 - 6) {
+            err = 1;
+            break;
+        }
         switch(st->codec->codec_id) {
         case CODEC_ID_MPEG1VIDEO:
         case CODEC_ID_MPEG2VIDEO:
@@ -304,6 +309,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                 *len_ptr = 0;
 
                 for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
+                    if (q - data > SECTION_LENGTH - 4) {
+                        err = 1;
+                        break;
+                    }
                     next = strchr(p, ',');
                     if (strlen(p) != 3 && (!next || next != p + 3))
                         continue; /* not a 3-letter code */
@@ -338,6 +347,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                 *q++ = language[1];
                 *q++ = language[2];
                 *q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
+
+                if (q - data > SECTION_LENGTH - 4) {
+                    err = 1;
+                    break;
+                }
                 if(st->codec->extradata_size == 4) {
                     memcpy(q, st->codec->extradata, 4);
                     q += 4;
@@ -363,6 +377,14 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
         desc_length_ptr[0] = val >> 8;
         desc_length_ptr[1] = val;
     }
+
+    if (err)
+        av_log(s, AV_LOG_ERROR,
+               "The PMT section is too small for stream %d and following.\n"
+               "Try reducing the number of languages in the audio streams "
+               "or the total number of streams.\n",
+               i);
+
     mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
                           data, q - data);
 }



More information about the ffmpeg-cvslog mailing list