[FFmpeg-devel] [PATCH v3] avformat/mpegts: fixes overflow when parsing the PMT
Marton Balint
cus at passwd.hu
Sat Sep 18 22:22:45 EEST 2021
On Wed, 15 Sep 2021, Nicolas Jorge Dato wrote:
> When a possible overflow was detected, there was a break
> to exit the while loop.
> However, it should have already substracted 2 bytes from
> program_info_length (descriptor ID + length).
> Ticket #9422
Thanks, applied.
Regards,
Marton
> ---
> libavformat/mpegts.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
> index fe89d4fb9f..f4e95d21fd 100644
> --- a/libavformat/mpegts.c
> +++ b/libavformat/mpegts.c
> @@ -2346,10 +2346,11 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
>
> av_log(ts->stream, AV_LOG_TRACE, "program tag: 0x%02x len=%d\n", tag, len);
>
> - if (len > program_info_length - 2)
> + program_info_length -= 2;
> + if (len > program_info_length)
> // something else is broken, exit the program_descriptors_loop
> break;
> - program_info_length -= len + 2;
> + program_info_length -= len;
> if (tag == IOD_DESCRIPTOR) {
> get8(&p, p_end); // scope
> get8(&p, p_end); // label
> --
> 2.33.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
More information about the ffmpeg-devel
mailing list