From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Tue, 7 Feb 2023 17:27:19 +0000 (+0100)
Subject: [PATCH] m2ts: check descs_size read from input to prevent overflow (#2388)
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~14
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6c457715ab98b216d75230372b87cdb2c73c14bc;p=gpac.git

[PATCH] m2ts: check descs_size read from input to prevent overflow (#2388)


Gbp-Pq: Name CVE-2023-1448.patch
---

diff --git a/src/media_tools/mpegts.c b/src/media_tools/mpegts.c
index 386d699..bc94cf4 100644
--- a/src/media_tools/mpegts.c
+++ b/src/media_tools/mpegts.c
@@ -807,6 +807,11 @@ static void gf_m2ts_process_sdt(GF_M2TS_Demuxer *ts, GF_M2TS_SECTION_ES *ses, GF
 		descs_size = ((data[pos+3]&0xf)<<8) | data[pos+4];
 		pos += 5;
 
+		if (pos+descs_size > data_size) {
+			GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[MPEG-2 TS] Invalid descriptors size read from data (%u)\n"));
+			return;
+		}
+
 		d_pos = 0;
 		while (d_pos < descs_size) {
 			u8 d_tag = data[pos+d_pos];