[Bug 722669] New: h265parser:fix crash free of wrong pointer

GStreamer (bugzilla.gnome.org) bugzilla at gnome.org
Mon Jan 20 18:31:59 PST 2014 

https://bugzilla.gnome.org/show_bug.cgi?id=722669
  GStreamer | gst-plugins-bad | unspecified

           Summary: h265parser:fix crash free of wrong pointer
    Classification: Platform
           Product: GStreamer
           Version: unspecified
        OS/Version: All
            Status: UNCONFIRMED
          Severity: major
          Priority: Normal
         Component: gst-plugins-bad
        AssignedTo: gstreamer-bugs at lists.freedesktop.org
        ReportedBy: whiterabbit.dhlee at gmail.com
         QAContact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---


Created an attachment (id=266833)
 View: https://bugzilla.gnome.org/attachment.cgi?id=266833
 Review: https://bugzilla.gnome.org/review?bug=722669&attachment=266833

fix crash free of wrong pointer

In gst_h265_parser_parse_slice_hdr(), slice->entry_point_offset_minus1 member
is not initialization. 

at this time, If line 2242 has false, go to line 2469, call
gst_h265_slice_hdr_free then issued memory crash.

2442     READ_UE_ALLOWED (&nr, slice->num_entry_point_offsets, 0, offset_max);
2443     if (slice->num_entry_point_offsets > 0) {
2444       READ_UE_ALLOWED (&nr, slice->offset_len_minus1, 0, 31);
2445       slice->entry_point_offset_minus1 =
2446           g_new0 (guint32, slice->num_entry_point_offsets);
2447       for (i = 0; i < slice->num_entry_point_offsets; i++)
2448         READ_UINT32 (&nr, slice->entry_point_offset_minus1[i],
2449             (slice->offset_len_minus1 + 1));
2450     }
2451   }
2452 
2453   if (pps->slice_segment_header_extension_present_flag) {
2454     guint16 slice_segment_header_extension_length;
2455     READ_UE_ALLOWED (&nr, slice_segment_header_extension_length, 0, 256);
2456     for (i = 0; i < slice_segment_header_extension_length; i++)
2457       if (!nal_reader_skip (&nr, 8))
2458         goto error;
2459   }
2460 
2461   slice->header_size = nal_reader_get_pos (&nr);
2462   slice->n_emulation_prevention_bytes = nal_reader_get_epb_count (&nr);
2463 
2464   return GST_H265_PARSER_OK;
2465 
2466 error:
2467   GST_WARNING ("error parsing \"Slice header\"");
2468 
2469   gst_h265_slice_hdr_free (slice);
2470 
2471   return GST_H265_PARSER_ERROR;

and I attached test stream.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list