Commit e8049af1 authored by Luca Barbato's avatar Luca Barbato Committed by Diego Biurrun

mpegts: Do not try to write a PMT larger than SECTION_SIZE

Prevent out of array writes.

Similar to what Michael Niedermayer did to address the same issue.

Bug-Id: CVE-2014-2263
CC: libav-stable@libav.org
Signed-off-by: 's avatarDiego Biurrun <diego@biurrun.de>
parent 35324054
...@@ -226,7 +226,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) ...@@ -226,7 +226,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
{ {
MpegTSWrite *ts = s->priv_data; MpegTSWrite *ts = s->priv_data;
uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr; uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr;
int val, stream_type, i; int val, stream_type, i, err = 0;
q = data; q = data;
put16(&q, 0xe000 | service->pcr_pid); put16(&q, 0xe000 | service->pcr_pid);
...@@ -244,6 +244,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) ...@@ -244,6 +244,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
AVStream *st = s->streams[i]; AVStream *st = s->streams[i];
MpegTSWriteStream *ts_st = st->priv_data; MpegTSWriteStream *ts_st = st->priv_data;
AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL, 0); AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL, 0);
if (q - data > SECTION_LENGTH - 3 - 2 - 6) {
err = 1;
break;
}
switch (st->codec->codec_id) { switch (st->codec->codec_id) {
case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG1VIDEO:
case AV_CODEC_ID_MPEG2VIDEO: case AV_CODEC_ID_MPEG2VIDEO:
...@@ -301,6 +306,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) ...@@ -301,6 +306,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
*len_ptr = 0; *len_ptr = 0;
for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
if (q - data > SECTION_LENGTH - 4) {
err = 1;
break;
}
next = strchr(p, ','); next = strchr(p, ',');
if (strlen(p) != 3 && (!next || next != p + 3)) if (strlen(p) != 3 && (!next || next != p + 3))
continue; /* not a 3-letter code */ continue; /* not a 3-letter code */
...@@ -335,6 +344,12 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) ...@@ -335,6 +344,12 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
*q++ = language[1]; *q++ = language[1];
*q++ = language[2]; *q++ = language[2];
*q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */ *q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */
if (q - data > SECTION_LENGTH - 4) {
err = 1;
break;
}
if (st->codec->extradata_size == 4) { if (st->codec->extradata_size == 4) {
memcpy(q, st->codec->extradata, 4); memcpy(q, st->codec->extradata, 4);
q += 4; q += 4;
...@@ -360,6 +375,13 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) ...@@ -360,6 +375,13 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
desc_length_ptr[0] = val >> 8; desc_length_ptr[0] = val >> 8;
desc_length_ptr[1] = val; desc_length_ptr[1] = val;
} }
if (err)
av_log(s, AV_LOG_ERROR,
"The PMT section cannot fit stream %d and all following streams.\n"
"Try reducing the number of languages in the audio streams "
"or the total number of streams.\n", i);
mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
data, q - data); data, q - data);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment