After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 665988 - mpegtsparse: segfault on malformed packets when retrieving table_id
mpegtsparse: segfault on malformed packets when retrieving table_id
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
git master
Other All
: Normal normal
: 0.10.24
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2011-12-12 09:21 UTC by Julien Isorce
Modified: 2011-12-13 09:45 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
pcap sample to reproduce the problem (932.43 KB, application/x-gzip)
2011-12-12 09:21 UTC, Julien Isorce 		  Details
check pointer when retrieving table id on malformed packets (1.88 KB, patch)
2011-12-12 09:22 UTC, Julien Isorce 		reviewed Details | Review
check offset when retrieving table id (2.29 KB, patch)
2011-12-12 13:58 UTC, Julien Isorce 		committed Details | Review
Revert "mpegtsparse: check offset when retrieving table_id on malformed packets" (1.63 KB, patch)
2011-12-12 14:55 UTC, Julien Isorce 		committed Details | Review
mpegtsparse: check offset when retrieving table_id on malformed packets (1.08 KB, patch)
2011-12-12 14:56 UTC, Julien Isorce 		committed Details | Review

Description Julien Isorce 2011-12-12 09:21:17 UTC 
Created attachment 203237 [details]
pcap sample to reproduce the problem

steps to reproduce:

GST_DEBUG=mpegtsparse:2 gst-launch-0.10 filesrc location=espn_small_3.pcap ! pcapparse ! mpegtsparse ! fakesink
Comment 1 Julien Isorce 2011-12-12 09:22:41 UTC 
Created attachment 203238 [details] [review]
check pointer when retrieving table id on malformed packets
Comment 2 Sebastian Dröge (slomo) 2011-12-12 12:37:59 UTC 
Review of attachment 203238 [details] [review]:

::: gst/mpegdemux/mpegtsparse.c
@@ +895,3 @@
       data += pointer;
+      if (!(data - GST_BUFFER_DATA (packet->buffer) <
+              GST_BUFFER_SIZE (packet->buffer))) {

This check is not very intuitive, maybe add a comment here why this is a problem
Comment 3 Julien Isorce 2011-12-12 13:58:25 UTC 
Created attachment 203252 [details] [review]
check offset when retrieving table id

This patch is equivalent than the previous one except I added a comment and I made the check more intuitive
Comment 4 Sebastian Dröge (slomo) 2011-12-12 14:05:42 UTC 
commit e62978d045d57ee9fed7598c02b9017eb974ea36
Author: Julien Isorce <julien.isorce@gmail.com>
Date:   Mon Dec 12 14:54:00 2011 +0100

    mpegtsparse: check offset when retrieving table_id on malformed packets
Comment 5 Julien Isorce 2011-12-12 14:55:57 UTC 
Created attachment 203256 [details] [review]
Revert "mpegtsparse: check offset when retrieving table_id on malformed packets"

This reverts commit e62978d045d57ee9fed7598c02b9017eb974ea36
    
Original commit is valid but not enough to avoid out of range.
It supposes that GST_BUFFER_DATA (packet->buffer) is equal to
packet->data which is wrong.
Comment 6 Julien Isorce 2011-12-12 14:56:37 UTC 
Created attachment 203257 [details] [review]
mpegtsparse: check offset when retrieving table_id on malformed packets

Should be ok now
Comment 7 Sebastian Dröge (slomo) 2011-12-13 09:45:20 UTC 
commit f21ea162ad3047d38d6e678aded23449c48f9f21
Author: Julien Isorce <julien.isorce@gmail.com>
Date:   Mon Dec 12 15:52:20 2011 +0100

    mpegtsparse: check offset when retrieving table_id on malformed packets
    
    Fix bug #665988

commit 0d40afa9f00df02a56be1e0081824d5916a23887
Author: Sebastian Dröge <sebastian.droege@collabora.co.uk>
Date:   Tue Dec 13 10:44:42 2011 +0100

    Revert "mpegtsparse: check offset when retrieving table_id on malformed pack
    
    This reverts commit e62978d045d57ee9fed7598c02b9017eb974ea36.