From 74d98d1b0e0e7af444c933ea3c472494de3ce6f2 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Wed, 17 Feb 2016 02:16:42 +0100
Subject: mpegts: Validate the SL Packet Header Configuration

timeStampLength, OCRLength and AU_Length have well specified upper
boundaries.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/mpegts.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavformat')

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 4a593cbf93..740cc14d43 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1171,6 +1171,11 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len)
         descr->sl.degr_prior_len     = lengths >> 12;
         descr->sl.au_seq_num_len     = (lengths >> 7) & 0x1f;
         descr->sl.packet_seq_num_len = (lengths >> 2) & 0x1f;
+        if (descr->sl.timestamp_len >= 64 ||
+            descr->sl.ocr_len >= 64 ||
+            descr->sl.au_len >= 32) {
+            return AVERROR_INVALIDDATA;
+        }
     } else {
         avpriv_report_missing_feature(d->s, "Predefined SLConfigDescriptor");
     }
-- 
cgit v1.2.3