Skip to content

V
vlc
Commit b5a03067 authored by Rafaël Carré's avatar Rafaël Carré
Browse files
Options

ADTS in TS muxing: fix use after free

parent c9c770e7
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 6 deletions
modules/mux/mpeg/ts.c
View file @ b5a03067
...@@ -1586,11 +1586,14 @@ static block_t *FixPES( sout_mux_t *p_mux, block_fifo_t *p_fifo ) ...@@ -1586,11 +1586,14 @@ static block_t *FixPES( sout_mux_t *p_mux, block_fifo_t *p_fifo )
static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt ) static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
{ {
#define ADTS_HEADER_SIZE 7 /* CRC needs 2 more bytes */
uint8_t *p_extra = p_fmt->p_extra; uint8_t *p_extra = p_fmt->p_extra;
if( !p_data || p_fmt->i_extra < 2 || !p_extra ) if( !p_data || p_fmt->i_extra < 2 || !p_extra )
return p_data; /* no data to construct the headers */ return p_data; /* no data to construct the headers */
size_t frame_length = p_data->i_buffer + ADTS_HEADER_SIZE;
int i_index = ( (p_extra[0] << 1) | (p_extra[1] >> 7) ) & 0x0f; int i_index = ( (p_extra[0] << 1) | (p_extra[1] >> 7) ) & 0x0f;
int i_profile = (p_extra[0] >> 3) - 1; /* i_profile < 4 */ int i_profile = (p_extra[0] >> 3) - 1; /* i_profile < 4 */
...@@ -1599,9 +1602,6 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt ) ...@@ -1599,9 +1602,6 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
int i_channels = (p_extra[i_index == 0x0f ? 4 : 1] >> 3) & 0x0f; int i_channels = (p_extra[i_index == 0x0f ? 4 : 1] >> 3) & 0x0f;
#define ADTS_HEADER_SIZE 7 /* CRC needs 2 more bytes */
/* keep a copy in case block_Realloc() fails */ /* keep a copy in case block_Realloc() fails */
block_t *p_bak_block = block_Duplicate( p_data ); block_t *p_bak_block = block_Duplicate( p_data );
if( !p_bak_block ) /* OOM, block_Realloc() is likely to lose our block */ if( !p_bak_block ) /* OOM, block_Realloc() is likely to lose our block */
...@@ -1621,7 +1621,7 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt ) ...@@ -1621,7 +1621,7 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
p_buffer[0] = 0xff; p_buffer[0] = 0xff;
p_buffer[1] = 0xf1; /* 0xf0 | 0x00 | 0x00 | 0x01 */ p_buffer[1] = 0xf1; /* 0xf0 | 0x00 | 0x00 | 0x01 */
p_buffer[2] = (i_profile << 6) | ((i_index & 0x0f) << 2) | ((i_channels >> 2) & 0x01) ; p_buffer[2] = (i_profile << 6) | ((i_index & 0x0f) << 2) | ((i_channels >> 2) & 0x01) ;
p_buffer[3] = (i_channels << 6) | ((p_data->i_buffer >> 11) & 0x03); p_buffer[3] = (i_channels << 6) | ((frame_length >> 11) & 0x03);
/* variable header (starts at last 2 bits of 4th byte) */ /* variable header (starts at last 2 bits of 4th byte) */
...@@ -1629,8 +1629,8 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt ) ...@@ -1629,8 +1629,8 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
/* XXX: We should check if it's CBR or VBR, but no known implementation /* XXX: We should check if it's CBR or VBR, but no known implementation
* do that, and it's a pain to calculate this field */ * do that, and it's a pain to calculate this field */
p_buffer[4] = p_data->i_buffer >> 3; p_buffer[4] = frame_length >> 3;
p_buffer[5] = ((p_data->i_buffer & 0x07) << 5) | ((i_fullness >> 6) & 0x1f); p_buffer[5] = ((frame_length & 0x07) << 5) | ((i_fullness >> 6) & 0x1f);
p_buffer[6] = ((i_fullness & 0x3f) << 2) /* | 0xfc */; p_buffer[6] = ((i_fullness & 0x3f) << 2) /* | 0xfc */;
return p_new_block; return p_new_block;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment