From 873bcee7d2eb03fe944fe28dad5ca11251e51196 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 27 Feb 2010 22:37:57 +0100
Subject: [PATCH] Fixed potential invalid access with too short packetized
 data.

---
 modules/packetizer/h264.c              |  4 ++--
 modules/packetizer/mpeg4video.c        |  2 +-
 modules/packetizer/mpegvideo.c         |  4 ++--
 modules/packetizer/packetizer_helper.h | 20 ++++++++++++++++----
 modules/packetizer/vc1.c               |  2 +-
 5 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/modules/packetizer/h264.c b/modules/packetizer/h264.c
index 58fe36fcb5..37eb01194e 100644
--- a/modules/packetizer/h264.c
+++ b/modules/packetizer/h264.c
@@ -202,7 +202,7 @@ static int Open( vlc_object_t *p_this )
 
     packetizer_Init( &p_sys->packetizer,
                      p_h264_startcode, sizeof(p_h264_startcode),
-                     p_h264_startcode, 1,
+                     p_h264_startcode, 1, 5,
                      PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
 
     p_sys->b_slice = false;
@@ -520,7 +520,7 @@ static block_t *PacketizeParse( void *p_private, bool *pb_ts_used, block_t *p_bl
     decoder_t *p_dec = p_private;
 
     /* Remove trailing 0 bytes */
-    while( p_block->i_buffer && p_block->p_buffer[p_block->i_buffer-1] == 0x00 )
+    while( p_block->i_buffer > 5 && p_block->p_buffer[p_block->i_buffer-1] == 0x00 )
         p_block->i_buffer--;
 
     return ParseNALBlock( p_dec, pb_ts_used, p_block );
diff --git a/modules/packetizer/mpeg4video.c b/modules/packetizer/mpeg4video.c
index af61cc172e..84946a5842 100644
--- a/modules/packetizer/mpeg4video.c
+++ b/modules/packetizer/mpeg4video.c
@@ -142,7 +142,7 @@ static int Open( vlc_object_t *p_this )
     /* Misc init */
     packetizer_Init( &p_sys->packetizer,
                      p_mp4v_startcode, sizeof(p_mp4v_startcode),
-                     NULL, 0,
+                     NULL, 0, 4,
                      PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
 
     p_sys->p_frame = NULL;
diff --git a/modules/packetizer/mpegvideo.c b/modules/packetizer/mpegvideo.c
index 52f5480847..56bbcee4c8 100644
--- a/modules/packetizer/mpegvideo.c
+++ b/modules/packetizer/mpegvideo.c
@@ -170,7 +170,7 @@ static int Open( vlc_object_t *p_this )
     /* Misc init */
     packetizer_Init( &p_sys->packetizer,
                      p_mp2v_startcode, sizeof(p_mp2v_startcode),
-                     NULL, 0,
+                     NULL, 0, 4,
                      PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
 
     p_sys->p_seq = NULL;
@@ -305,7 +305,7 @@ static block_t *PacketizeParse( void *p_private, bool *pb_ts_used, block_t *p_bl
     decoder_t *p_dec = p_private;
 
     /* Check if we have a picture start code */
-    *pb_ts_used = p_block->i_buffer >= 4 && p_block->p_buffer[3] == 0x00;
+    *pb_ts_used = p_block->p_buffer[3] == 0x00;
 
     return ParseMPEGBlock( p_dec, p_block );
 }
diff --git a/modules/packetizer/packetizer_helper.h b/modules/packetizer/packetizer_helper.h
index b2fd905b80..b46b4657fc 100644
--- a/modules/packetizer/packetizer_helper.h
+++ b/modules/packetizer/packetizer_helper.h
@@ -49,6 +49,8 @@ typedef struct
     int i_au_prepend;
     const uint8_t *p_au_prepend;
 
+    unsigned i_au_min_size;
+
     void *p_private;
     packetizer_reset_t    pf_reset;
     packetizer_parse_t    pf_parse;
@@ -59,6 +61,7 @@ typedef struct
 static inline void packetizer_Init( packetizer_t *p_pack,
                                     const uint8_t *p_startcode, int i_startcode,
                                     const uint8_t *p_au_prepend, int i_au_prepend,
+                                    unsigned i_au_min_size,
                                     packetizer_reset_t pf_reset,
                                     packetizer_parse_t pf_parse,
                                     packetizer_validate_t pf_validate,
@@ -71,6 +74,7 @@ static inline void packetizer_Init( packetizer_t *p_pack,
 
     p_pack->i_au_prepend = i_au_prepend;
     p_pack->p_au_prepend = p_au_prepend;
+    p_pack->i_au_min_size = i_au_min_size;
 
     p_pack->i_startcode = i_startcode;
     p_pack->p_startcode = p_startcode;
@@ -167,11 +171,19 @@ static inline block_t *packetizer_Packetize( packetizer_t *p_pack, block_t **pp_
             p_pack->i_offset = 0;
 
             /* Parse the NAL */
-            p_pic = p_pack->pf_parse( p_pack->p_private, &b_used_ts, p_pic );
-            if( b_used_ts )
+            if( p_pic->i_buffer < p_pack->i_au_min_size )
+            {
+                block_Release( p_pic );
+                p_pic = NULL;
+            }
+            else
             {
-                p_block_bytestream->i_dts = VLC_TS_INVALID;
-                p_block_bytestream->i_pts = VLC_TS_INVALID;
+                p_pic = p_pack->pf_parse( p_pack->p_private, &b_used_ts, p_pic );
+                if( b_used_ts )
+                {
+                    p_block_bytestream->i_dts = VLC_TS_INVALID;
+                    p_block_bytestream->i_pts = VLC_TS_INVALID;
+                }
             }
 
             if( !p_pic )
diff --git a/modules/packetizer/vc1.c b/modules/packetizer/vc1.c
index 0293febced..e3c7daa094 100644
--- a/modules/packetizer/vc1.c
+++ b/modules/packetizer/vc1.c
@@ -143,7 +143,7 @@ static int Open( vlc_object_t *p_this )
 
     packetizer_Init( &p_sys->packetizer,
                      p_vc1_startcode, sizeof(p_vc1_startcode),
-                     NULL, 0,
+                     NULL, 0, 4,
                      PacketizeReset, PacketizeParse, PacketizeValidate, p_dec );
 
     p_sys->b_sequence_header = false;
-- 
2.39.2