[MPlayer-cvslog] r31671 - trunk/libmpdemux/demux_ts.c

[reimar]

Author: reimar
Date: Sat Jul 10 18:48:59 2010
New Revision: 31671

Log:
Add packet->len checks to avoid out-of-bounds reads and negative
es->size values.

Modified:
   trunk/libmpdemux/demux_ts.c

Modified: trunk/libmpdemux/demux_ts.c
==============================================================================
--- trunk/libmpdemux/demux_ts.c	Sat Jul 10 18:44:02 2010	(r31670)
+++ trunk/libmpdemux/demux_ts.c	Sat Jul 10 18:48:59 2010	(r31671)
@@ -1484,7 +1484,7 @@ static int pes_parse2(unsigned char *buf
 
 		if(
 			(type_from_pmt == AUDIO_A52) ||		 /* A52 - raw */
-			(p[0] == 0x0B && p[1] == 0x77)		/* A52 - syncword */
+			(packet_len >= 2 && p[0] == 0x0B && p[1] == 0x77)		/* A52 - syncword */
 		)
 		{
 			mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 RAW OR SYNCWORD\n");
@@ -1497,7 +1497,7 @@ static int pes_parse2(unsigned char *buf
 		}
 		/* SPU SUBS */
 		else if(type_from_pmt == SPU_DVB ||
-		((p[0] == 0x20) && pes_is_aligned)) // && p[1] == 0x00))
+		(packet_len >= 1 && (p[0] == 0x20) && pes_is_aligned)) // && p[1] == 0x00))
 		{
 			es->start = p;
 			es->size  = packet_len;
@@ -1506,7 +1506,7 @@ static int pes_parse2(unsigned char *buf
 
 			return 1;
 		}
-		else if (pes_is_aligned && ((p[0] & 0xE0) == 0x20))	//SPU_DVD
+		else if (pes_is_aligned && packet_len >= 1 && ((p[0] & 0xE0) == 0x20))	//SPU_DVD
 		{
 			//DVD SUBS
 			es->start   = p+1;
@@ -1516,7 +1516,7 @@ static int pes_parse2(unsigned char *buf
 
 			return 1;
 		}
-		else if (pes_is_aligned && (p[0] & 0xF8) == 0x80)
+		else if (pes_is_aligned && packet_len >= 4 && (p[0] & 0xF8) == 0x80)
 		{
 			mp_msg(MSGT_DEMUX, MSGL_DBG2, "A52 WITH HEADER\n");
 			es->start   = p+4;
@@ -1526,7 +1526,7 @@ static int pes_parse2(unsigned char *buf
 
 			return 1;
 		}
-		else if (pes_is_aligned && ((p[0]&0xf0) == 0xa0))
+		else if (pes_is_aligned && packet_len >= 1 && ((p[0]&0xf0) == 0xa0))
 		{
 			int pcm_offset;