projects / gpac.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7c6fdd0)
[PATCH] m2ts: check descs_size read from input to prevent overflow (#2388)
authorAurelien David <aurelien.david@telecom-paristech.fr>
Tue, 7 Feb 2023 17:27:19 +0000 (18:27 +0100)
committerMoritz Mühlenhoff <jmm@debian.org>
Mon, 19 Jun 2023 21:46:06 +0000 (22:46 +0100)
Gbp-Pq: Name CVE-2023-1448.patch

src/media_tools/mpegts.c patch | blob | history

diff --git a/src/media_tools/mpegts.c b/src/media_tools/mpegts.c
index 386d69977bb1be2ee197ac9b5935d0a5a72c038e..bc94cf48d87b8bdb1069ca57e6cad838e1bf02c4 100644 (file)
--- a/src/media_tools/mpegts.c
+++ b/src/media_tools/mpegts.c
@@ -807,6 +807,11 @@ static void gf_m2ts_process_sdt(GF_M2TS_Demuxer *ts, GF_M2TS_SECTION_ES *ses, GF
                descs_size = ((data[pos+3]&0xf)<<8) | data[pos+4];
                pos += 5;
 
+               if (pos+descs_size > data_size) {
+                       GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[MPEG-2 TS] Invalid descriptors size read from data (%u)\n"));
+                       return;
+               }
+
                d_pos = 0;
                while (d_pos < descs_size) {
                        u8 d_tag = data[pos+d_pos];
Unnamed repository; edit this file 'description' to name the repository.