From 6c457715ab98b216d75230372b87cdb2c73c14bc Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Tue, 7 Feb 2023 18:27:19 +0100
Subject: [PATCH] [PATCH] m2ts: check descs_size read from input to prevent
 overflow (#2388)

Gbp-Pq: Name CVE-2023-1448.patch
---
 src/media_tools/mpegts.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/media_tools/mpegts.c b/src/media_tools/mpegts.c
index 386d699..bc94cf4 100644
--- a/src/media_tools/mpegts.c
+++ b/src/media_tools/mpegts.c
@@ -807,6 +807,11 @@ static void gf_m2ts_process_sdt(GF_M2TS_Demuxer *ts, GF_M2TS_SECTION_ES *ses, GF
 		descs_size = ((data[pos+3]&0xf)<<8) | data[pos+4];
 		pos += 5;
 
+		if (pos+descs_size > data_size) {
+			GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[MPEG-2 TS] Invalid descriptors size read from data (%u)\n"));
+			return;
+		}
+
 		d_pos = 0;
 		while (d_pos < descs_size) {
 			u8 d_tag = data[pos+d_pos];
-- 
2.30.2