From: Maintainers of GStreamer packages <gst-plugins-bad1.0@packages.debian.org>
Date: Sat, 22 Jul 2023 16:03:02 +0000 (+0100)
Subject: SA-2023-0003
X-Git-Tag: archive/raspbian/1.14.4-1+rvt+deb10u3^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=3531aa1e4bc230755578caf6ee804a70b2fb8c2e;p=gst-plugins-bad1.0.git

SA-2023-0003


Gbp-Pq: Name SA-2023-0003.patch
---

diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
index 6108de0..df0b8e2 100644
--- a/gst/dvdspu/gstspu-pgs.c
+++ b/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
     obj->rle_data_size = GST_READ_UINT24_BE (payload);
     payload += 3;
 
+    if (end - payload > obj->rle_data_size)
+      return 0;
+
     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
         (int) (end - payload), obj->rle_data_size);
 
@@ -604,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
     PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
     /* Check that the data chunk is for this object version, and fits in the buffer */
     if (obj->rle_data_ver == obj_ver &&
-        obj->rle_data_used + end - payload <= obj->rle_data_size) {
+        end - payload <= obj->rle_data_size &&
+        obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
 
       memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
       obj->rle_data_used += end - payload;