@@ -59,6 +59,7 @@ using namespace std;
5959#define AAC_PTS_INPUT_DEBUG 0
6060#define EOS_DEBUG 0
6161
62+ // MAX_HEADER_SIZE is valid max size for H.264 and AAC, however AAC header is actually smaller.
6263#define MAX_HEADER_SIZE 256
6364#define INPUT_BUFFERS_BEFORE_ERROR 500
6465
@@ -635,17 +636,25 @@ void dshowwrapper_deliver_post_process_mp2t(GstBuffer *pBuffer, GstDShowWrapper
635636 data = info.data ;
636637 size = info.size ;
637638
638- if (data == NULL || size < 3 )
639+ // PES header 6 bytes + optional extension + payload
640+ // We should have at least 7 bytes (header + 1 byte for payload)
641+ if (data == NULL || size < 7 )
642+ {
643+ gst_buffer_unmap (pBuffer, &info);
639644 return ;
645+ }
640646
641647 if (data[0 ] == 0x00 && data[1 ] == 0x00 && data[2 ] == 0x01 ) // PES header start
642648 {
643- if ((data[6 ] & 0x80 ) == 0x80 ) // Optional PES header
649+ // Check for optional PES header and make sure we have enough bytes
650+ // to continue parsing optional PES header which is 3 bytes.
651+ if ((data[6 ] & 0x80 ) == 0x80 && size >= 9 ) // Optional PES header
644652 {
645653 __int64 PTS = 0 ;
646654 GstClockTime gst_pts = GST_CLOCK_TIME_NONE;
647655
648- if ((data[7 ] & 0x80 ) == 0x80 ) // Get PTS
656+ // Make sure we have enough bytes to read PTS
657+ if ((data[7 ] & 0x80 ) == 0x80 && size >= 14 ) // Get PTS
649658 {
650659 PTS |= ((__int64)(data[9 ] & 0x0E ) << 29 );
651660 PTS |= (data[10 ] << 22 );
@@ -694,11 +703,21 @@ void dshowwrapper_deliver_post_process_mp2t(GstBuffer *pBuffer, GstDShowWrapper
694703 }
695704
696705 guint8 optional_remaining_header_size = data[8 ];
697- size -= (PES_HEADER_SIZE + PES_OPTIONAL_HEADER_SIZE + optional_remaining_header_size);
698- offset = (PES_HEADER_SIZE + PES_OPTIONAL_HEADER_SIZE + optional_remaining_header_size);
706+ if ((PES_HEADER_SIZE + PES_OPTIONAL_HEADER_SIZE + optional_remaining_header_size) < size)
707+ {
708+ size -= (PES_HEADER_SIZE + PES_OPTIONAL_HEADER_SIZE + optional_remaining_header_size);
709+ offset = (PES_HEADER_SIZE + PES_OPTIONAL_HEADER_SIZE + optional_remaining_header_size);
710+ }
711+ else
712+ {
713+ // Something wrong.
714+ gst_buffer_unmap (pBuffer, &info);
715+ return ;
716+ }
699717 }
700718 else
701719 {
720+ // Skip 6 bytes of PES header
702721 size -= PES_HEADER_SIZE;
703722 offset = PES_HEADER_SIZE;
704723 }
@@ -1551,7 +1570,14 @@ static gboolean dshowwrapper_load_decoder_aac(GstStructure *s, GstDShowWrapper *
15511570 codec_data = gst_value_get_buffer (v);
15521571 if (codec_data != NULL )
15531572 if (gst_buffer_map (codec_data, &info, GST_MAP_READ))
1554- codec_data_size = info.size ;
1573+ codec_data_size = (gint)info.size ;
1574+ }
1575+
1576+ // Make sure header has reasonable size
1577+ if (codec_data_size < 0 || codec_data_size > MAX_HEADER_SIZE)
1578+ {
1579+ gst_buffer_unmap (codec_data, &info);
1580+ return FALSE ;
15551581 }
15561582
15571583 inputFormat.type = MEDIATYPE_Audio;
@@ -2071,13 +2097,14 @@ static gboolean dshowwrapper_load_decoder_h264(GstStructure *s, GstDShowWrapper
20712097 if (gst_buffer_map (codec_data, &codec_data_info, GST_MAP_READ))
20722098 {
20732099 if (codec_data_info.size <= MAX_HEADER_SIZE)
2074- header_size = dshowwrapper_get_avc_config (codec_data_info.data , codec_data_info.size , header, MAX_HEADER_SIZE, &decoder->lengthSizeMinusOne );
2100+ header_size = (gint) dshowwrapper_get_avc_config (codec_data_info.data , codec_data_info.size , header, MAX_HEADER_SIZE, &decoder->lengthSizeMinusOne );
20752101 gst_buffer_unmap (codec_data, &codec_data_info);
20762102 }
20772103 }
20782104 else
20792105 return FALSE ;
20802106
2107+ // dshowwrapper_get_avc_config() will make sure that (header_size <= MAX_HEADER_SIZE)
20812108 if (header_size <= 0 )
20822109 return FALSE ;
20832110
0 commit comments