[MPlayer-cvslog] r31669 - trunk/libmpdemux/demux_ts.c

reimar subversion at mplayerhq.hu
Sat Jul 10 18:43:00 CEST 2010


Author: reimar
Date: Sat Jul 10 18:43:00 2010
New Revision: 31669

Log:
Check packet size before memmove to avoid crashes e.g. if we recognized the
wrong type and subtracted more header bytes than there are overall bytes.

Modified:
   trunk/libmpdemux/demux_ts.c

Modified: trunk/libmpdemux/demux_ts.c
==============================================================================
--- trunk/libmpdemux/demux_ts.c	Sat Jul 10 18:30:59 2010	(r31668)
+++ trunk/libmpdemux/demux_ts.c	Sat Jul 10 18:43:00 2010	(r31669)
@@ -3152,6 +3152,10 @@ static int ts_parse(demuxer_t *demuxer ,
 
 				demuxer->filepos = stream_tell(demuxer->stream) - es->size;
 
+				if(es->size < 0 || es->size > buf_size) {
+					mp_msg(MSGT_DEMUX, MSGL_ERR, "Broken ES packet size\n");
+					es->size = 0;
+				}
 				memmove(p, es->start, es->size);
 				*dp_offset += es->size;
 				(*dp)->flags = 0;


More information about the MPlayer-cvslog mailing list