From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Thu, 16 Feb 2023 16:34:58 +0000 (+0100)
Subject: [PATCH] rfadts: add size guard on dmx (#2400)
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~15
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7c6fdd01acb91dbfb3ec20e5db0524b7ad079d7c;p=gpac.git

[PATCH] rfadts: add size guard on dmx (#2400)


Gbp-Pq: Name CVE-2023-0866.patch
---

diff --git a/src/filters/reframe_adts.c b/src/filters/reframe_adts.c
index 734410c..2746e5b 100644
--- a/src/filters/reframe_adts.c
+++ b/src/filters/reframe_adts.c
@@ -256,7 +256,7 @@ static void adts_dmx_check_dur(GF_Filter *filter, GF_ADTSDmxCtx *ctx)
 			gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));
 		}
 	}
-	
+
 	p = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);
 	if (p && p->value.boolean) ctx->file_loaded = GF_TRUE;
 	gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );
@@ -715,6 +715,12 @@ GF_Err adts_dmx_process(GF_Filter *filter)
 		}
 
 		if (!ctx->in_seek) {
+
+			if (sync_pos + offset + size > remain) {
+				GF_LOG(GF_LOG_WARNING, GF_LOG_MEDIA, ("[ADTSDmx] truncated frame\n"));
+				break;
+			}
+
 			dst_pck = gf_filter_pck_new_alloc(ctx->opid, size, &output);
 			if (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);