[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gstreamer-cvs
Subject:    gst-plugins-bad: kate: avoid read buffer overflow in crafted stream
From:       vincent () kemper ! freedesktop ! org (Vincent Penquerc'h)
Date:       2014-04-30 17:18:03
Message-ID: 20140430171803.71803761E5 () kemper ! freedesktop ! org
[Download RAW message or body]

Module: gst-plugins-bad
Branch: master
Commit: d8fb89e4e69dc3f74314ca274a6818c1e3396f52
URL:    http://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=d8fb89e4e69dc3f74314ca274a6818c1e3396f52


Author: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk>
Date:   Wed Apr 30 10:05:15 2014 +0100

kate: avoid read buffer overflow in crafted stream

Coverity 1208777

---

 ext/kate/gstkatespu.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ext/kate/gstkatespu.c b/ext/kate/gstkatespu.c
index e256f86..1b7dbc7 100644
--- a/ext/kate/gstkatespu.c
+++ b/ext/kate/gstkatespu.c
@@ -79,7 +79,7 @@ gst_kate_spu_decode_pixaddr (GstKateEnc * ke, const guint8 * ptr)
 
 /* heavily inspired from dvdspudec */
 static guint16
-gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr)
+gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr, guint16 sz)
 {
   guint16 nbytes = GST_KATE_UINT16_BE (ptr + 0);
   guint16 nbytes_left = nbytes;
@@ -92,6 +92,12 @@ gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr)
         nbytes);
     return 0;
   }
+  if (G_UNLIKELY (nbytes > sz)) {
+    GST_WARNING_OBJECT (ke,
+        "Number of bytes in color/contrast change command is %u, but the buffer "
+        "only contains %u byte(s)", nbytes, sz);
+    return 0;
+  }
 
   ptr += 2;
   nbytes_left -= 2;
@@ -348,7 +354,7 @@ gst_kate_spu_decode_command_sequence (GstKateEnc * ke, GstBuffer \
* buf,  case SPU_CMD_CHG_COLCON: /* 0x07 */
         GST_DEBUG_OBJECT (ke, "[7] CHANGE COLOR/CONTRAST");
         CHECK (2);
-        ADVANCE (gst_kate_spu_decode_colcon (ke, ptr));
+        ADVANCE (gst_kate_spu_decode_colcon (ke, ptr, sz));
         break;
       case SPU_CMD_END:        /* 0xff */
         GST_DEBUG_OBJECT (ke, "[0xff] END");

_______________________________________________
gstreamer-commits mailing list
gstreamer-commits@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/gstreamer-commits


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic