[FFmpeg-cvslog] avformat/mpegts: Check desc_len / get8() return code
Michael Niedermayer
git at videolan.org
Fri Nov 28 20:02:28 CET 2014
ffmpeg | branch: release/2.1 | Michael Niedermayer <michaelni at gmx.at> | Sat Oct 4 04:29:40 2014 +0200| [ea61dfe0abf4e57c8cd798b1853f0e376a02ec03] | committer: Michael Niedermayer
avformat/mpegts: Check desc_len / get8() return code
Fixes out of array read
Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea61dfe0abf4e57c8cd798b1853f0e376a02ec03
---
libavformat/mpegts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index ba92304..b57eaf5 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1766,7 +1766,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
break;
desc_len = get8(&p, desc_list_end);
desc_end = p + desc_len;
- if (desc_end > desc_list_end)
+ if (desc_len < 0 || desc_end > desc_list_end)
break;
av_dlog(ts->stream, "tag: 0x%02x len=%d\n",
More information about the ffmpeg-cvslog
mailing list