From 455c2739f40e1ce7f4a956ed211e945a321bb3c9 Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Sat, 17 Dec 2022 12:06:16 +0100
Subject: [PATCH] [PATCH] fixed #2354

Gbp-Pq: Name CVE-2022-47659.patch
---
 src/filters/reframe_latm.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/filters/reframe_latm.c b/src/filters/reframe_latm.c
index 08b5ebd..b3cbd34 100644
--- a/src/filters/reframe_latm.c
+++ b/src/filters/reframe_latm.c
@@ -30,6 +30,8 @@
 
 #ifndef GPAC_DISABLE_AV_PARSERS
 
+#define LATM_DMX_MAX_SIZE	8192
+
 typedef struct
 {
 	u64 pos;
@@ -152,7 +154,7 @@ static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u3
 			size += tmp;
 			if (tmp!=255) break;
 		}
-		if (gf_bs_available(bs) < size) {
+		if ((gf_bs_available(bs) < size) || (size > LATM_DMX_MAX_SIZE)){
 			gf_bs_seek(bs, pos-3);
 			return GF_FALSE;
 		}
@@ -482,8 +484,8 @@ GF_Err latm_dmx_process(GF_Filter *filter)
 
 	while (1) {
 		pos = (u32) gf_bs_get_position(ctx->bs);
-		u8 latm_buffer[4096];
-		u32 latm_frame_size = 4096;
+		u8 latm_buffer[LATM_DMX_MAX_SIZE];
+		u32 latm_frame_size = LATM_DMX_MAX_SIZE;
 		if (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break;
 
 		if (ctx->in_seek) {
-- 
2.30.2