Fixed potential invalid access with too short packetized data.

author Laurent Aimar <fenrir@videolan.org>

Sat, 27 Feb 2010 21:37:57 +0000 (22:37 +0100)

committer Laurent Aimar <fenrir@videolan.org>

Sat, 27 Feb 2010 23:27:08 +0000 (00:27 +0100)
author Laurent Aimar <fenrir@videolan.org>
Sat, 27 Feb 2010 21:37:57 +0000 (22:37 +0100)
committer Laurent Aimar <fenrir@videolan.org>
Sat, 27 Feb 2010 23:27:08 +0000 (00:27 +0100)
diff --git a/modules/packetizer/h264.c b/modules/packetizer/h264.c

index 58fe36fcb50d7cc06056217cf64ee45c06d2498f..37eb01194ee03617e5904c6bac39d2e399df8c0a 100644 (file)
--- a/modules/packetizer/h264.c
+++ b/modules/packetizer/h264.c
@@ -202,7 +202,7 @@ static int Open( vlc_object_t *p_this )
  
      packetizer_Init( &p_sys->packetizer,
                       p_h264_startcode, sizeof(p_h264_startcode),
-                     p_h264_startcode, 1,
+                     p_h264_startcode, 1, 5,
                       PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
  
      p_sys->b_slice = false;
@@ -520,7 +520,7 @@ static block_t *PacketizeParse( void *p_private, bool *pb_ts_used, block_t *p_bl
      decoder_t *p_dec = p_private;
  
      /* Remove trailing 0 bytes */
-    while( p_block->i_buffer && p_block->p_buffer[p_block->i_buffer-1] == 0x00 )
+    while( p_block->i_buffer > 5 && p_block->p_buffer[p_block->i_buffer-1] == 0x00 )
          p_block->i_buffer--;
  
      return ParseNALBlock( p_dec, pb_ts_used, p_block );
diff --git a/modules/packetizer/mpeg4video.c b/modules/packetizer/mpeg4video.c

index af61cc172ece1491b215505aca1cb481bdc53227..84946a5842c26aeeaba547f84d4a278ce9e357aa 100644 (file)
--- a/modules/packetizer/mpeg4video.c
+++ b/modules/packetizer/mpeg4video.c
@@ -142,7 +142,7 @@ static int Open( vlc_object_t *p_this )
      /* Misc init */
      packetizer_Init( &p_sys->packetizer,
                       p_mp4v_startcode, sizeof(p_mp4v_startcode),
-                     NULL, 0,
+                     NULL, 0, 4,
                       PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
  
      p_sys->p_frame = NULL;
diff --git a/modules/packetizer/mpegvideo.c b/modules/packetizer/mpegvideo.c

index 52f548084787d455e1758958cd2eda5d28347a1d..56bbcee4c8d39bf480301860a2fe298a3bfdb6ab 100644 (file)
--- a/modules/packetizer/mpegvideo.c
+++ b/modules/packetizer/mpegvideo.c
@@ -170,7 +170,7 @@ static int Open( vlc_object_t *p_this )
      /* Misc init */
      packetizer_Init( &p_sys->packetizer,
                       p_mp2v_startcode, sizeof(p_mp2v_startcode),
-                     NULL, 0,
+                     NULL, 0, 4,
                       PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
  
      p_sys->p_seq = NULL;
@@ -305,7 +305,7 @@ static block_t *PacketizeParse( void *p_private, bool *pb_ts_used, block_t *p_bl
      decoder_t *p_dec = p_private;
  
      /* Check if we have a picture start code */
-    *pb_ts_used = p_block->i_buffer >= 4 && p_block->p_buffer[3] == 0x00;
+    *pb_ts_used = p_block->p_buffer[3] == 0x00;
  
      return ParseMPEGBlock( p_dec, p_block );
  }
diff --git a/modules/packetizer/packetizer_helper.h b/modules/packetizer/packetizer_helper.h

index b2fd905b80df3d91a160522531ebcf47ca7c7653..b46b4657fcfb1fe16f15aaf4f861bffaa375b5cb 100644 (file)
--- a/modules/packetizer/packetizer_helper.h
+++ b/modules/packetizer/packetizer_helper.h
@@ -49,6 +49,8 @@ typedef struct
      int i_au_prepend;
      const uint8_t *p_au_prepend;
  
+    unsigned i_au_min_size;
+
      void *p_private;
      packetizer_reset_t    pf_reset;
      packetizer_parse_t    pf_parse;
@@ -59,6 +61,7 @@ typedef struct
  static inline void packetizer_Init( packetizer_t *p_pack,
                                      const uint8_t *p_startcode, int i_startcode,
                                      const uint8_t *p_au_prepend, int i_au_prepend,
+                                    unsigned i_au_min_size,
                                      packetizer_reset_t pf_reset,
                                      packetizer_parse_t pf_parse,
                                      packetizer_validate_t pf_validate,
@@ -71,6 +74,7 @@ static inline void packetizer_Init( packetizer_t *p_pack,
  
      p_pack->i_au_prepend = i_au_prepend;
      p_pack->p_au_prepend = p_au_prepend;
+    p_pack->i_au_min_size = i_au_min_size;
  
      p_pack->i_startcode = i_startcode;
      p_pack->p_startcode = p_startcode;
@@ -167,11 +171,19 @@ static inline block_t *packetizer_Packetize( packetizer_t *p_pack, block_t **pp_
              p_pack->i_offset = 0;
  
              /* Parse the NAL */
-            p_pic = p_pack->pf_parse( p_pack->p_private, &b_used_ts, p_pic );
-            if( b_used_ts )
+            if( p_pic->i_buffer < p_pack->i_au_min_size )
+            {
+                block_Release( p_pic );
+                p_pic = NULL;
+            }
+            else
              {
-                p_block_bytestream->i_dts = VLC_TS_INVALID;
-                p_block_bytestream->i_pts = VLC_TS_INVALID;
+                p_pic = p_pack->pf_parse( p_pack->p_private, &b_used_ts, p_pic );
+                if( b_used_ts )
+                {
+                    p_block_bytestream->i_dts = VLC_TS_INVALID;
+                    p_block_bytestream->i_pts = VLC_TS_INVALID;
+                }
              }
  
              if( !p_pic )
diff --git a/modules/packetizer/vc1.c b/modules/packetizer/vc1.c

index 0293febced9867d7c34926fb8e35e8e958aab344..e3c7daa0942c3386418136f193a0d046715f5d85 100644 (file)
--- a/modules/packetizer/vc1.c
+++ b/modules/packetizer/vc1.c
@@ -143,7 +143,7 @@ static int Open( vlc_object_t *p_this )
  
      packetizer_Init( &p_sys->packetizer,
                       p_vc1_startcode, sizeof(p_vc1_startcode),
-                     NULL, 0,
+                     NULL, 0, 4,
                       PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
  
      p_sys->b_sequence_header = false;
author	Laurent Aimar <fenrir@videolan.org>
	Sat, 27 Feb 2010 21:37:57 +0000 (22:37 +0100)
committer	Laurent Aimar <fenrir@videolan.org>
	Sat, 27 Feb 2010 23:27:08 +0000 (00:27 +0100)
modules/packetizer/h264.c		patch \| blob \| history
modules/packetizer/mpeg4video.c		patch \| blob \| history
modules/packetizer/mpegvideo.c		patch \| blob \| history
modules/packetizer/packetizer_helper.h		patch \| blob \| history
modules/packetizer/vc1.c		patch \| blob \| history