mpegts: Do not try to write a PMT larger than SECTION_SIZE

Prevent out of array write. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org (cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Luca Barbato <lu_zero@gentoo.org> 2014-08-07 17:10:32 +0200
committer: Luca Barbato <lu_zero@gentoo.org> 2014-08-08 14:27:47 +0200
commit: ebe2292eafa7cac71dcdddb865e18c05635fe117 (patch)
tree: c80fd7e0e0db6086c113a44f508e11300f084d9e
parent: d86df7dd497ead1132bd95df7c4c18d91fbe3def (diff)
download: ffmpeg-ebe2292eafa7cac71dcdddb865e18c05635fe117.tar.gz
1 files changed, 23 insertions, 1 deletions
diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 87cf726c73..91b6758cc1 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -237,7 +237,7 @@ static void mpegts_write_pat(AVFormatContext *s)
 static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
 {
     uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
-    int val, stream_type, i;
+    int val, stream_type, i, err = 0;
 
     q = data;
     put16(&q, 0xe000 | service->pcr_pid);
@@ -255,6 +255,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
         AVStream *st = s->streams[i];
         MpegTSWriteStream *ts_st = st->priv_data;
         AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL,0);
+
+        if (q - data > SECTION_LENGTH - 3 - 2 - 6) {
+            err = 1;
+            break;
+        }
         switch(st->codec->codec_id) {
         case CODEC_ID_MPEG1VIDEO:
         case CODEC_ID_MPEG2VIDEO:
@@ -304,6 +309,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                 *len_ptr = 0;
 
                 for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
+                    if (q - data > SECTION_LENGTH - 4) {
+                        err = 1;
+                        break;
+                    }
                     next = strchr(p, ',');
                     if (strlen(p) != 3 && (!next || next != p + 3))
                         continue; /* not a 3-letter code */
@@ -338,6 +347,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                 *q++ = language[1];
                 *q++ = language[2];
                 *q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
+
+                if (q - data > SECTION_LENGTH - 4) {
+                    err = 1;
+                    break;
+                }
                 if(st->codec->extradata_size == 4) {
                     memcpy(q, st->codec->extradata, 4);
                     q += 4;
@@ -363,6 +377,14 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
         desc_length_ptr[0] = val >> 8;
         desc_length_ptr[1] = val;
     }
+
+    if (err)
+        av_log(s, AV_LOG_ERROR,
+               "The PMT section is too small for stream %d and following.\n"
+               "Try reducing the number of languages in the audio streams "
+               "or the total number of streams.\n",
+               i);
+
     mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
                           data, q - data);
 }
author	Luca Barbato <lu_zero@gentoo.org>	2014-08-07 17:10:32 +0200
committer	Luca Barbato <lu_zero@gentoo.org>	2014-08-08 14:27:47 +0200
commit	ebe2292eafa7cac71dcdddb865e18c05635fe117 (patch)
tree	c80fd7e0e0db6086c113a44f508e11300f084d9e
parent	d86df7dd497ead1132bd95df7c4c18d91fbe3def (diff)
download	ffmpeg-ebe2292eafa7cac71dcdddb865e18c05635fe117.tar.gz