From 6d4576fb0273c217b3cbc2c6f43414476a8d5064 Mon Sep 17 00:00:00 2001 From: Martin Pulec Date: Mon, 5 Aug 2024 10:22:29 +0200 Subject: [PATCH] rtpdec_jpeg: watch bogus quant data As supposed by RFC 2435, watch invalid lengths for quantization tables. --- src/rtp/rtpdec_jpeg.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/rtp/rtpdec_jpeg.c b/src/rtp/rtpdec_jpeg.c index 9f9c751af..5537ed49c 100644 --- a/src/rtp/rtpdec_jpeg.c +++ b/src/rtp/rtpdec_jpeg.c @@ -87,7 +87,7 @@ parse_restart_interval(unsigned char **pckt_data, int verbose_adj) static void parse_quant_tables(struct decode_data_rtsp *dec, unsigned char **pckt_data, - int q) + const unsigned char *end, int q) { assert (q >= QUANT_TAB_T_FIRST_STATIC); @@ -108,6 +108,17 @@ parse_quant_tables(struct decode_data_rtsp *dec, unsigned char **pckt_data, assert(length == JPEG_QUANT_SIZE || length == 2 * JPEG_QUANT_SIZE); assert(precision == 0); // 8-bit JPEG should not use 16 bit tables + const ptrdiff_t remaining_bytes = end - *pckt_data; + if (length > remaining_bytes) { + MSG(ERROR, + "Bogus JPEG packet (q table len %" PRIu16 + " > %td remaining bytes! " + "Dropping packet...\n", + length, remaining_bytes); + *pckt_data += remaining_bytes;; + return; + } + uint8_t(*quant_table)[JPEG_QUANT_SIZE] = dec->jpeg.quantization_tables[q]; @@ -286,7 +297,9 @@ decode_frame_jpeg(struct coded_data *cdata, void *decode_data) } // for q>=128, 1st pckt contains tables if (off == 0 && q >= QUANT_TAB_T_FIRST_STATIC) { - parse_quant_tables(dec_data, &pckt_data, q); + const unsigned char *end = + (unsigned char *) pckt->data + pckt->data_len; + parse_quant_tables(dec_data, &pckt_data, end, q); } const long payload_hdr_len =