SA-2023-0003

author Maintainers of GStreamer packages <gst-plugins-bad1.0@packages.debian.org>

Fri, 27 Oct 2023 20:55:02 +0000 (22:55 +0200)

committer Thorsten Alteholz <debian@alteholz.de>

Fri, 27 Oct 2023 20:55:02 +0000 (22:55 +0200)
author Maintainers of GStreamer packages <gst-plugins-bad1.0@packages.debian.org>
Fri, 27 Oct 2023 20:55:02 +0000 (22:55 +0200)
committer Thorsten Alteholz <debian@alteholz.de>
Fri, 27 Oct 2023 20:55:02 +0000 (22:55 +0200)
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c

index 6108de07c2ea9fe24921a0db9b33fc352b02eb9e..df0b8e2cbe681169811ea8580658baeb9c01dafd 100644 (file)
--- a/gst/dvdspu/gstspu-pgs.c
+++ b/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
      obj->rle_data_size = GST_READ_UINT24_BE (payload);
      payload += 3;
  
+    if (end - payload > obj->rle_data_size)
+      return 0;
+
      PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
          (int) (end - payload), obj->rle_data_size);
  
@@ -604,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
      PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
      /* Check that the data chunk is for this object version, and fits in the buffer */
      if (obj->rle_data_ver == obj_ver &&
-        obj->rle_data_used + end - payload <= obj->rle_data_size) {
+        end - payload <= obj->rle_data_size &&
+        obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
  
        memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
        obj->rle_data_used += end - payload;
author	Maintainers of GStreamer packages <gst-plugins-bad1.0@packages.debian.org>
	Fri, 27 Oct 2023 20:55:02 +0000 (22:55 +0200)
committer	Thorsten Alteholz <debian@alteholz.de>
	Fri, 27 Oct 2023 20:55:02 +0000 (22:55 +0200)