From: jeanlf <jeanlf@gpac.io>
Date: Sat, 17 Dec 2022 11:06:16 +0000 (+0100)
Subject: [PATCH] fixed #2354
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~82
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=455c2739f40e1ce7f4a956ed211e945a321bb3c9;p=gpac.git

[PATCH] fixed #2354


Gbp-Pq: Name CVE-2022-47659.patch
---

diff --git a/src/filters/reframe_latm.c b/src/filters/reframe_latm.c
index 08b5ebd..b3cbd34 100644
--- a/src/filters/reframe_latm.c
+++ b/src/filters/reframe_latm.c
@@ -30,6 +30,8 @@
 
 #ifndef GPAC_DISABLE_AV_PARSERS
 
+#define LATM_DMX_MAX_SIZE	8192
+
 typedef struct
 {
 	u64 pos;
@@ -152,7 +154,7 @@ static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u3
 			size += tmp;
 			if (tmp!=255) break;
 		}
-		if (gf_bs_available(bs) < size) {
+		if ((gf_bs_available(bs) < size) || (size > LATM_DMX_MAX_SIZE)){
 			gf_bs_seek(bs, pos-3);
 			return GF_FALSE;
 		}
@@ -482,8 +484,8 @@ GF_Err latm_dmx_process(GF_Filter *filter)
 
 	while (1) {
 		pos = (u32) gf_bs_get_position(ctx->bs);
-		u8 latm_buffer[4096];
-		u32 latm_frame_size = 4096;
+		u8 latm_buffer[LATM_DMX_MAX_SIZE];
+		u32 latm_frame_size = LATM_DMX_MAX_SIZE;
 		if (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;
 
 		if (ctx->in_seek) {