mpegts: Validate the SL Packet Header Configuration
authorLuca Barbato <lu_zero@gentoo.org>
Wed, 17 Feb 2016 01:16:42 +0000 (02:16 +0100)
committerLuca Barbato <lu_zero@gentoo.org>
Tue, 3 May 2016 05:21:45 +0000 (14:21 +0900)
timeStampLength, OCRLength and AU_Length have well specified upper
boundaries.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavformat/mpegts.c

index 4a593cb..740cc14 100644 (file)
@@ -1171,6 +1171,11 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len)
         descr->sl.degr_prior_len     = lengths >> 12;
         descr->sl.au_seq_num_len     = (lengths >> 7) & 0x1f;
         descr->sl.packet_seq_num_len = (lengths >> 2) & 0x1f;
+        if (descr->sl.timestamp_len >= 64 ||
+            descr->sl.ocr_len >= 64 ||
+            descr->sl.au_len >= 32) {
+            return AVERROR_INVALIDDATA;
+        }
     } else {
         avpriv_report_missing_feature(d->s, "Predefined SLConfigDescriptor");
     }