[vlc-commits] ADTS in TS muxing: fix use after free

Rafaël Carré git at videolan.org
Sat Mar 3 21:35:07 CET 2012 

vlc | branch: master | Rafaël Carré <funman at videolan.org> | Sat Mar  3 15:20:07 2012 -0500| [b5a03067d5670694142bd545aa88522908216347] | committer: Rafaël Carré

ADTS in TS muxing: fix use after free

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=b5a03067d5670694142bd545aa88522908216347
---

 modules/mux/mpeg/ts.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/mux/mpeg/ts.c b/modules/mux/mpeg/ts.c
index 2be8300..a887095 100644
--- a/modules/mux/mpeg/ts.c
+++ b/modules/mux/mpeg/ts.c
@@ -1586,11 +1586,14 @@ static block_t *FixPES( sout_mux_t *p_mux, block_fifo_t *p_fifo )
 
 static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
 {
+#define ADTS_HEADER_SIZE 7 /* CRC needs 2 more bytes */
+
     uint8_t *p_extra = p_fmt->p_extra;
 
     if( !p_data || p_fmt->i_extra < 2 || !p_extra )
         return p_data; /* no data to construct the headers */
 
+    size_t frame_length = p_data->i_buffer + ADTS_HEADER_SIZE;
     int i_index = ( (p_extra[0] << 1) | (p_extra[1] >> 7) ) & 0x0f;
     int i_profile = (p_extra[0] >> 3) - 1; /* i_profile < 4 */
 
@@ -1599,9 +1602,6 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
 
     int i_channels = (p_extra[i_index == 0x0f ? 4 : 1] >> 3) & 0x0f;
 
-#define ADTS_HEADER_SIZE 7 /* CRC needs 2 more bytes */
-
-
     /* keep a copy in case block_Realloc() fails */
     block_t *p_bak_block = block_Duplicate( p_data );
     if( !p_bak_block ) /* OOM, block_Realloc() is likely to lose our block */
@@ -1621,7 +1621,7 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
     p_buffer[0] = 0xff;
     p_buffer[1] = 0xf1; /* 0xf0 | 0x00 | 0x00 | 0x01 */
     p_buffer[2] = (i_profile << 6) | ((i_index & 0x0f) << 2) | ((i_channels >> 2) & 0x01) ;
-    p_buffer[3] = (i_channels << 6) | ((p_data->i_buffer >> 11) & 0x03);
+    p_buffer[3] = (i_channels << 6) | ((frame_length >> 11) & 0x03);
 
     /* variable header (starts at last 2 bits of 4th byte) */
 
@@ -1629,8 +1629,8 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
     /* XXX: We should check if it's CBR or VBR, but no known implementation
      * do that, and it's a pain to calculate this field */
 
-    p_buffer[4] = p_data->i_buffer >> 3;
-    p_buffer[5] = ((p_data->i_buffer & 0x07) << 5) | ((i_fullness >> 6) & 0x1f);
+    p_buffer[4] = frame_length >> 3;
+    p_buffer[5] = ((frame_length & 0x07) << 5) | ((i_fullness >> 6) & 0x1f);
     p_buffer[6] = ((i_fullness & 0x3f) << 2) /* | 0xfc */;
 
     return p_new_block;

More information about the vlc-commits mailing list