avformat/mpegts: Check desc_len / get8() return code

Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-10-04 04:29:40 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2014-12-21 04:40:34 +0100
commit: 5e8b8e4b9d157d8be779e6e3e6d302988c8694d7 (patch)
tree: a31561edd65896bb2dc239dd83e7443585043ebf
parent: 86e57695257fde22da2045b6468ccaef34e848a5 (diff)
download: ffmpeg-5e8b8e4b9d157d8be779e6e3e6d302988c8694d7.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index cecb228559..244eb40eae 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1693,7 +1693,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
                 break;
             desc_len = get8(&p, desc_list_end);
             desc_end = p + desc_len;
-            if (desc_end > desc_list_end)
+            if (desc_len < 0 || desc_end > desc_list_end)
                 break;
 
             av_dlog(ts->stream, "tag: 0x%02x len=%d\n",
author	Michael Niedermayer <michaelni@gmx.at>	2014-10-04 04:29:40 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2014-12-21 04:40:34 +0100
commit	5e8b8e4b9d157d8be779e6e3e6d302988c8694d7 (patch)
tree	a31561edd65896bb2dc239dd83e7443585043ebf
parent	86e57695257fde22da2045b6468ccaef34e848a5 (diff)
download	ffmpeg-5e8b8e4b9d157d8be779e6e3e6d302988c8694d7.tar.gz