aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2014-08-12 20:21:12 +0200
committerDiego Biurrun <diego@biurrun.de>2014-08-13 13:57:47 -0700
commit7788297a59656ececd84f602292bfeb79f7eedd7 (patch)
tree8f1cfd1ec20743f1c2d5eab24f0ee0b22ece4957 /libavformat
parent23376ae2f0247ff659724b6a5313639db0c991ad (diff)
downloadffmpeg-7788297a59656ececd84f602292bfeb79f7eedd7.tar.gz
mpegts: Do not try to write a PMT larger than SECTION_SIZE
Prevent out of array writes. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org Signed-off-by: Diego Biurrun <diego@biurrun.de> (cherry picked from commit e8049af1325dd59a51546c15b2e71a0f578e9d27) Conflicts: libavformat/mpegtsenc.c
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/mpegtsenc.c24
1 files changed, 23 insertions, 1 deletions
diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index 102620074f..4dc52bfecf 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -255,7 +255,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
{
MpegTSWrite *ts = s->priv_data;
uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
- int val, stream_type, i;
+ int val, stream_type, i, err = 0;
q = data;
put16(&q, 0xe000 | service->pcr_pid);
@@ -273,6 +273,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
AVStream *st = s->streams[i];
MpegTSWriteStream *ts_st = st->priv_data;
AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL,0);
+
+ if (q - data > SECTION_LENGTH - 3 - 2 - 6) {
+ err = 1;
+ break;
+ }
switch(st->codec->codec_id) {
case AV_CODEC_ID_MPEG1VIDEO:
case AV_CODEC_ID_MPEG2VIDEO:
@@ -325,6 +330,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
*len_ptr = 0;
for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
+ if (q - data > SECTION_LENGTH - 4) {
+ err = 1;
+ break;
+ }
next = strchr(p, ',');
if (strlen(p) != 3 && (!next || next != p + 3))
continue; /* not a 3-letter code */
@@ -359,6 +368,12 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
*q++ = language[1];
*q++ = language[2];
*q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
+
+ if (q - data > SECTION_LENGTH - 4) {
+ err = 1;
+ break;
+ }
+
if(st->codec->extradata_size == 4) {
memcpy(q, st->codec->extradata, 4);
q += 4;
@@ -384,6 +399,13 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
desc_length_ptr[0] = val >> 8;
desc_length_ptr[1] = val;
}
+
+ if (err)
+ av_log(s, AV_LOG_ERROR,
+ "The PMT section cannot fit stream %d and all following streams.\n"
+ "Try reducing the number of languages in the audio streams "
+ "or the total number of streams.\n", i);
+
mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
data, q - data);
}