From 7c6fdd01acb91dbfb3ec20e5db0524b7ad079d7c Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Thu, 16 Feb 2023 17:34:58 +0100
Subject: [PATCH] [PATCH] rfadts: add size guard on dmx (#2400)

Gbp-Pq: Name CVE-2023-0866.patch
---
 src/filters/reframe_adts.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/filters/reframe_adts.c b/src/filters/reframe_adts.c
index 734410c..2746e5b 100644
--- a/src/filters/reframe_adts.c
+++ b/src/filters/reframe_adts.c
@@ -256,7 +256,7 @@ static void adts_dmx_check_dur(GF_Filter *filter, GF_ADTSDmxCtx *ctx)
 			gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration));
 		}
 	}
-	
+
 	p = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED);
 	if (p && p->value.boolean) ctx->file_loaded = GF_TRUE;
 	gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) );
@@ -715,6 +715,12 @@ GF_Err adts_dmx_process(GF_Filter *filter)
 		}
 
 		if (!ctx->in_seek) {
+
+			if (sync_pos + offset + size > remain) {
+				GF_LOG(GF_LOG_WARNING, GF_LOG_MEDIA, ("[ADTSDmx] truncated frame\n"));
+				break;
+			}
+
 			dst_pck = gf_filter_pck_new_alloc(ctx->opid, size, &output);
 			if (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck);
 
-- 
2.30.2