File gstreamer-mpegdemux-extra-length-checks.patch of Package gstreamer-plugins-bad

From ae98d3537be611de771d94cc48da218d9a8cb540 Mon Sep 17 00:00:00 2001
From: Jan Schmidt <jan@centricular.com>
Date: Wed, 1 Feb 2017 14:37:29 +1100
Subject: [PATCH] mpegdemux: Add extra length checks to TS scanning.

Add some missing size checks to the timestamp scanning
fast path.

Rebased by Mike Gorse <mgorse@suse.com>
---
diff -urp gst-plugins-bad-1.8.3.orig/gst/mpegdemux/gstmpegdemux.c gst-plugins-bad-1.8.3/gst/mpegdemux/gstmpegdemux.c
--- gst-plugins-bad-1.8.3.orig/gst/mpegdemux/gstmpegdemux.c	2017-03-02 11:41:01.193319588 -0600
+++ gst-plugins-bad-1.8.3/gst/mpegdemux/gstmpegdemux.c	2017-03-02 11:59:50.489340201 -0600
@@ -2409,6 +2409,8 @@ gst_ps_demux_scan_ts (GstPsDemux * demux
   code = GST_READ_UINT32_BE (data);
   if (G_LIKELY (code != ID_PS_PACK_START_CODE))
     goto beach;
+  if (data + 12 > end)
+    goto beach;
 
   /* skip start code */
   data += 4;
@@ -2446,12 +2448,17 @@ gst_ps_demux_scan_ts (GstPsDemux * demux
     /* SCR has been converted into units of 90Khz ticks to make it comparable
        to DTS/PTS, that also implies 1 tick rounding error */
     data += 6;
+
+    if (data + 4 > end)
+      goto beach;
     /* PMR:22 ! :2==11 ! reserved:5 ! stuffing_len:3 */
     next32 = GST_READ_UINT32_BE (data);
     if ((next32 & 0x00000300) != 0x00000300)
       goto beach;
     stuffing_bytes = (next32 & 0x07);
     data += 4;
+    if (data + stuffing_bytes > end)
+      goto beach;
     while (stuffing_bytes--) {
       if (*data++ != 0xff)
         goto beach;
@@ -2478,6 +2485,9 @@ gst_ps_demux_scan_ts (GstPsDemux * demux
   }
 
   /* Possible optional System header here */
+  if (data + 8 > end)
+    goto beach;
+
   code = GST_READ_UINT32_BE (data);
   len = GST_READ_UINT16_BE (data + 4);