m2ts: check descs_size read from input to prevent overflow (#2388)

gpac · Feb 7, 2023 · 8db20cb · 8db20cb
1 parent a5efec8
commit 8db20cb
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/media_tools/mpegts.c b/src/media_tools/mpegts.c
@@ -823,6 +823,11 @@ static void gf_m2ts_process_sdt(GF_M2TS_Demuxer *ts, GF_M2TS_SECTION_ES *ses, GF
 		descs_size = ((data[pos+3]&0xf)<<8) | data[pos+4];
 		pos += 5;
 
+		if (pos+descs_size > data_size) {
+			GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[MPEG-2 TS] Invalid descriptors size read from data (%u)\n"));
+			return;
+		}
+
 		d_pos = 0;
 		while (d_pos < descs_size) {
 			u8 d_tag = data[pos+d_pos];
@@ -2129,7 +2134,7 @@ void gf_m2ts_flush_pes(GF_M2TS_Demuxer *ts, GF_M2TS_PES *pes, u32 force_flush_ty
 
 		} else {
 			if (!has_data) goto exit;
-			
+
 			/*3-byte start-code + 1 byte streamid*/
 			len = 4;
 			memset(&pesh, 0, sizeof(pesh));