[vlc-commits] [Git][videolan/vlc][master] contrib: dvbpsi: fix out-of-bounds read

Mon Sep 15 08:34:13 UTC 2025


Thomas Guillem pushed to branch master at VideoLAN / VLC


Commits:
a89e30a4 by François Cartegnie at 2025-09-15T10:33:46+02:00
contrib: dvbpsi: fix out-of-bounds read

- - - - -


5 changed files:

- + contrib/src/dvbpsi/0001-dvbpsi_packet_push-compute-sizes-using-pointer-to-en.patch
- + contrib/src/dvbpsi/0002-dvbpsi_packet_push-check-adaptation-field-length.patch
- + contrib/src/dvbpsi/0003-dvbpsi_packet_push-check-section-pointers-field.patch
- + contrib/src/dvbpsi/0004-dvbpsi_packet_push-check-section-length.patch
- contrib/src/dvbpsi/rules.mak


Changes:

=====================================
contrib/src/dvbpsi/0001-dvbpsi_packet_push-compute-sizes-using-pointer-to-en.patch
=====================================
@@ -0,0 +1,52 @@
+From 84657f4a293dda1c58fc1d8183436c95436a3785 Mon Sep 17 00:00:00 2001
+From: Francois Cartegnie <fcvlcdev at free.fr>
+Date: Mon, 18 Nov 2024 13:19:27 +0700
+Subject: [PATCH 1/4] dvbpsi_packet_push: compute sizes using pointer to end of
+ packet
+
+---
+ src/dvbpsi.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/dvbpsi.c b/src/dvbpsi.c
+index cbb7511..a11d70a 100644
+--- a/src/dvbpsi.c
++++ b/src/dvbpsi.c
+@@ -263,6 +263,7 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+                                              section is handled */
+     int i_available;                      /* Byte count available in the
+                                              packet */
++    const uint8_t *p_data_end = &p_data[188]; /* end of packet */
+ 
+     dvbpsi_decoder_t *p_decoder = p_dvbpsi->p_decoder;
+     assert(p_decoder);
+@@ -355,7 +356,7 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+     }
+ 
+     /* Remaining bytes in the payload */
+-    i_available = 188 + p_data - p_payload_pos;
++    i_available = p_data_end - p_payload_pos;
+ 
+     while (i_available > 0)
+     {
+@@ -395,7 +396,7 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+                         p_new_pos = NULL;
+                         p_decoder->i_need = 3;
+                         p_decoder->b_complete_header = false;
+-                        i_available = 188 + p_data - p_payload_pos;
++                        i_available = p_data_end - p_payload_pos;
+                     }
+                     else
+                     {
+@@ -480,7 +481,7 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+                     p_new_pos = NULL;
+                     p_decoder->i_need = 3;
+                     p_decoder->b_complete_header = false;
+-                    i_available = 188 + p_data - p_payload_pos;
++                    i_available = p_data_end - p_payload_pos;
+                 }
+                 else
+                 {
+-- 
+2.48.1
+


=====================================
contrib/src/dvbpsi/0002-dvbpsi_packet_push-check-adaptation-field-length.patch
=====================================
@@ -0,0 +1,28 @@
+From f3f354fa18aaf9ebbe37b74d6fe91409a3dd8a75 Mon Sep 17 00:00:00 2001
+From: Francois Cartegnie <fcvlcdev at free.fr>
+Date: Mon, 18 Nov 2024 13:20:15 +0700
+Subject: [PATCH 2/4] dvbpsi_packet_push: check adaptation field length
+
+---
+ src/dvbpsi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/dvbpsi.c b/src/dvbpsi.c
+index a11d70a..0c8c440 100644
+--- a/src/dvbpsi.c
++++ b/src/dvbpsi.c
+@@ -315,7 +315,11 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+ 
+     /* Skip the adaptation_field if present */
+     if (p_data[3] & 0x20)
++    {
+         p_payload_pos = p_data + 5 + p_data[4];
++	if(p_payload_pos >= p_data_end)
++	    return false;
++    }
+     else
+         p_payload_pos = p_data + 4;
+ 
+-- 
+2.48.1
+


=====================================
contrib/src/dvbpsi/0003-dvbpsi_packet_push-check-section-pointers-field.patch
=====================================
@@ -0,0 +1,25 @@
+From 528be758326ac8c1caaf33bbd47615f2df00f21f Mon Sep 17 00:00:00 2001
+From: Francois Cartegnie <fcvlcdev at free.fr>
+Date: Mon, 18 Nov 2024 13:20:34 +0700
+Subject: [PATCH 3/4] dvbpsi_packet_push: check section pointers field
+
+---
+ src/dvbpsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/dvbpsi.c b/src/dvbpsi.c
+index 0c8c440..6b5641a 100644
+--- a/src/dvbpsi.c
++++ b/src/dvbpsi.c
+@@ -328,6 +328,8 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+     {
+         p_new_pos = p_payload_pos + *p_payload_pos + 1;
+         p_payload_pos += 1;
++	if(p_payload_pos >= p_data_end || p_new_pos >= p_data_end)
++	    return false;
+     }
+ 
+     p_section = p_decoder->p_current_section;
+-- 
+2.48.1
+


=====================================
contrib/src/dvbpsi/0004-dvbpsi_packet_push-check-section-length.patch
=====================================
@@ -0,0 +1,35 @@
+From 029b69147ea866b6ff5b938ef32cdfd8a8603303 Mon Sep 17 00:00:00 2001
+From: Francois Cartegnie <fcvlcdev at free.fr>
+Date: Mon, 18 Nov 2024 17:35:52 +0700
+Subject: [PATCH 4/4] dvbpsi_packet_push: check section length
+
+---
+ src/dvbpsi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/dvbpsi.c b/src/dvbpsi.c
+index 6b5641a..89444c5 100644
+--- a/src/dvbpsi.c
++++ b/src/dvbpsi.c
+@@ -377,12 +377,14 @@ bool dvbpsi_packet_push(dvbpsi_t *p_dvbpsi, uint8_t* p_data)
+ 
+             if (!p_decoder->b_complete_header)
+             {
+-                /* Header is complete */
+-                p_decoder->b_complete_header = true;
+                 /* Compute p_section->i_length and update p_decoder->i_need */
+-                p_decoder->i_need = p_section->i_length
+-                                  = ((uint16_t)(p_section->p_data[1] & 0xf)) << 8
++                p_section->i_length = ((uint16_t)(p_section->p_data[1] & 0xf)) << 8
+                                        | p_section->p_data[2];
++                if(p_section->i_length > 4093)
++                    return false;
++                p_decoder->i_need = p_section->i_length;
++                /* Header is complete */
++                p_decoder->b_complete_header = true;
+                 /* Check that the section isn't too long */
+                 if (p_decoder->i_need > p_decoder->i_section_max_size - 3)
+                 {
+-- 
+2.48.1
+


=====================================
contrib/src/dvbpsi/rules.mak
=====================================
@@ -20,6 +20,10 @@ libdvbpsi: libdvbpsi-$(DVBPSI_VERSION).tar.bz2 .sum-dvbpsi
 	$(APPLY) $(SRC)/dvbpsi/dvbpsi-sys-types.patch
 	$(APPLY) $(SRC)/dvbpsi/0001-really-identify-duplicates.patch
 	$(APPLY) $(SRC)/dvbpsi/0002-really-reset-packet-counter.patch
+	$(APPLY) $(SRC)/dvbpsi/0001-dvbpsi_packet_push-compute-sizes-using-pointer-to-en.patch
+	$(APPLY) $(SRC)/dvbpsi/0002-dvbpsi_packet_push-check-adaptation-field-length.patch
+	$(APPLY) $(SRC)/dvbpsi/0003-dvbpsi_packet_push-check-section-pointers-field.patch
+	$(APPLY) $(SRC)/dvbpsi/0004-dvbpsi_packet_push-check-section-length.patch
 	$(MOVE)
 
 .dvbpsi: libdvbpsi



View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/a89e30a4d2cb156b8a4f68aa52b11ebd0d8eb25a

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/a89e30a4d2cb156b8a4f68aa52b11ebd0d8eb25a
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance
