diff options
-rw-r--r-- | ChangeLog | 8 | ||||
m--------- | common | 0 | ||||
-rw-r--r-- | gst/rtp/gstrtph263pdepay.c | 6 |
3 files changed, 14 insertions, 0 deletions
@@ -1,3 +1,11 @@ +2008-03-08 Sebastian Dröge <slomo@circular-chaos.org> + + Patch by: Olivier Crete <tester at tester dot ca> + + * gst/rtp/gstrtph263pdepay.c: (gst_rtp_h263p_depay_process): + Check that a buffer is large enough before reading from it. + Fixes bug #521102. + 2008-03-07 Wim Taymans <wim.taymans@collabora.co.uk> * gst/udp/gstudpsrc.c: (gst_udpsrc_start): diff --git a/common b/common -Subproject e02bd43fe6b9e45536eccbf5b7a5f9eae62030f +Subproject 170f8e91adc7157f6e708ffa58ca22d10e4e45d diff --git a/gst/rtp/gstrtph263pdepay.c b/gst/rtp/gstrtph263pdepay.c index 082d26f6..7d775732 100644 --- a/gst/rtp/gstrtph263pdepay.c +++ b/gst/rtp/gstrtph263pdepay.c @@ -265,6 +265,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) header_len = 2; + if (payload_len < header_len) + goto bad_packet; + M = gst_rtp_buffer_get_marker (buf); /* 0 1 @@ -285,6 +288,9 @@ gst_rtp_h263p_depay_process (GstBaseRTPDepayload * depayload, GstBuffer * buf) header_len += PLEN; } + if ((!P && payload_len < header_len) || (P && payload_len < header_len - 2)) + goto bad_packet; + if (P) { rtph263pdepay->wait_start = FALSE; header_len -= 2; |