mpegts: Do not try to write a PMT larger than SECTION_SIZE

Prevent out of array writes. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org Signed-off-by: Diego Biurrun <diego@biurrun.de>

mpegts: Do not try to write a PMT larger than SECTION_SIZE
Prevent out of array writes. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org Signed-off-by: Diego Biurrun <diego@biurrun.de>
e8049af1 · Luca Barbato · Diego Biurrun · 35324054 · e8049af1
Commit e8049af1 authored Aug 12, 2014 by Luca Barbato Committed by Diego Biurrun Aug 13, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

mpegtsenc.c libavformat/mpegtsenc.c +23 -1

No files found.
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -226,7 +226,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
 {
    MpegTSWrite *ts = s->priv_data;
    uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
-    int val, stream_type, i;
+    int val, stream_type, i, err = 0;

    q = data;
    put16(&q, 0xe000 | service->pcr_pid);
@@ -244,6 +244,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
        AVStream *st = s->streams[i];
        MpegTSWriteStream *ts_st = st->priv_data;
        AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL, 0);
+
+        if (q - data > SECTION_LENGTH - 3 - 2 - 6) {
+            err = 1;
+            break;
+        }
        switch (st->codec->codec_id) {
        case AV_CODEC_ID_MPEG1VIDEO:
        case AV_CODEC_ID_MPEG2VIDEO:
@@ -301,6 +306,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                *len_ptr = 0;

                for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
+                    if (q - data > SECTION_LENGTH - 4) {
+                        err = 1;
+                        break;
+                    }
                    next = strchr(p, ',');
                    if (strlen(p) != 3 && (!next || next != p + 3))
                        continue; /* not a 3-letter code */
@@ -335,6 +344,12 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
            *q++ = language[1];
            *q++ = language[2];
            *q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
+
+            if (q - data > SECTION_LENGTH - 4) {
+                err = 1;
+                break;
+            }
+
            if (st->codec->extradata_size == 4) {
                memcpy(q, st->codec->extradata, 4);
                q += 4;
@@ -360,6 +375,13 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
        desc_length_ptr[0] = val >> 8;
        desc_length_ptr[1] = val;
    }
+
+    if (err)
+        av_log(s, AV_LOG_ERROR,
+               "The PMT section cannot fit stream %d and all following streams.\n"
+               "Try reducing the number of languages in the audio streams "
+               "or the total number of streams.\n", i);
+
    mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
                          data, q - data);
 }