mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2024-12-27 01:42:20 +00:00
mpegts: Do not try to write a PMT larger than SECTION_SIZE
Prevent out of array writes. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org Signed-off-by: Diego Biurrun <diego@biurrun.de>
This commit is contained in:
parent
353240541d
commit
e8049af132
@ -226,7 +226,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
|
|||||||
{
|
{
|
||||||
MpegTSWrite *ts = s->priv_data;
|
MpegTSWrite *ts = s->priv_data;
|
||||||
uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
|
uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
|
||||||
int val, stream_type, i;
|
int val, stream_type, i, err = 0;
|
||||||
|
|
||||||
q = data;
|
q = data;
|
||||||
put16(&q, 0xe000 | service->pcr_pid);
|
put16(&q, 0xe000 | service->pcr_pid);
|
||||||
@ -244,6 +244,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
|
|||||||
AVStream *st = s->streams[i];
|
AVStream *st = s->streams[i];
|
||||||
MpegTSWriteStream *ts_st = st->priv_data;
|
MpegTSWriteStream *ts_st = st->priv_data;
|
||||||
AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL, 0);
|
AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL, 0);
|
||||||
|
|
||||||
|
if (q - data > SECTION_LENGTH - 3 - 2 - 6) {
|
||||||
|
err = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
switch (st->codec->codec_id) {
|
switch (st->codec->codec_id) {
|
||||||
case AV_CODEC_ID_MPEG1VIDEO:
|
case AV_CODEC_ID_MPEG1VIDEO:
|
||||||
case AV_CODEC_ID_MPEG2VIDEO:
|
case AV_CODEC_ID_MPEG2VIDEO:
|
||||||
@ -301,6 +306,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
|
|||||||
*len_ptr = 0;
|
*len_ptr = 0;
|
||||||
|
|
||||||
for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
|
for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
|
||||||
|
if (q - data > SECTION_LENGTH - 4) {
|
||||||
|
err = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
next = strchr(p, ',');
|
next = strchr(p, ',');
|
||||||
if (strlen(p) != 3 && (!next || next != p + 3))
|
if (strlen(p) != 3 && (!next || next != p + 3))
|
||||||
continue; /* not a 3-letter code */
|
continue; /* not a 3-letter code */
|
||||||
@ -335,6 +344,12 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
|
|||||||
*q++ = language[1];
|
*q++ = language[1];
|
||||||
*q++ = language[2];
|
*q++ = language[2];
|
||||||
*q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
|
*q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
|
||||||
|
|
||||||
|
if (q - data > SECTION_LENGTH - 4) {
|
||||||
|
err = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if (st->codec->extradata_size == 4) {
|
if (st->codec->extradata_size == 4) {
|
||||||
memcpy(q, st->codec->extradata, 4);
|
memcpy(q, st->codec->extradata, 4);
|
||||||
q += 4;
|
q += 4;
|
||||||
@ -360,6 +375,13 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
|
|||||||
desc_length_ptr[0] = val >> 8;
|
desc_length_ptr[0] = val >> 8;
|
||||||
desc_length_ptr[1] = val;
|
desc_length_ptr[1] = val;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (err)
|
||||||
|
av_log(s, AV_LOG_ERROR,
|
||||||
|
"The PMT section cannot fit stream %d and all following streams.\n"
|
||||||
|
"Try reducing the number of languages in the audio streams "
|
||||||
|
"or the total number of streams.\n", i);
|
||||||
|
|
||||||
mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
|
mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
|
||||||
data, q - data);
|
data, q - data);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user