From: Jaroslav Kysela <perex@perex.cz>
Date: Fri, 23 Oct 2015 22:15:28 +0000 (+0200)
Subject: parsers: fix H264 and H265 parsers (multiple 0x1e0)
X-Git-Tag: v4.2.1~1788
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3ba5f7a807b571f9bcaf182f839220d88523d22a;p=thirdparty%2Ftvheadend.git

parsers: fix H264 and H265 parsers (multiple 0x1e0)
---

diff --git a/src/parsers/parsers.c b/src/parsers/parsers.c
index 4f1223b01..b887e33c9 100644
--- a/src/parsers/parsers.c
+++ b/src/parsers/parsers.c
@@ -1259,16 +1259,21 @@ parse_h264(service_t *t, elementary_stream_t *st, size_t len,
     if(len >= 9) {
       uint16_t plen = buf[4] << 8 | buf[5];
       th_pkt_t *pkt = st->es_curpkt;
-      if(plen >= 0xffe9) st->es_incomplete = 1;
+      if (plen >= 0xffe9) st->es_incomplete = 1;
       l2 = parse_pes_header(t, st, buf + 6, len - 6);
+      if (l2 < 0)
+        return PARSER_DROP;
 
       if (pkt) {
-        if (l2 + 1 <= len - 6) {
+        if (l2 < len - 6 && l2 + 7 != len) {
           /* This is the rest of this frame. */
           /* Do not include trailing zero. */
-          pkt->pkt_payload = pktbuf_append(pkt->pkt_payload, buf + 6 + l2, len - 6 - l2 - 1);
+          pkt->pkt_payload = pktbuf_append(pkt->pkt_payload, buf + 6 + l2, len - 6 - l2);
         }
 
+        if (next_startcode >= 0x000001e0 && next_startcode <= 0x000001ef)
+          return PARSER_RESET;
+
         parser_deliver(t, st, pkt);
 
         st->es_curpkt = NULL;
@@ -1390,16 +1395,21 @@ parse_hevc(service_t *t, elementary_stream_t *st, size_t len,
     if(len >= 9) {
       uint16_t plen = buf[4] << 8 | buf[5];
       th_pkt_t *pkt = st->es_curpkt;
-      if(plen >= 0xffe9) st->es_incomplete = 1;
+      if (plen >= 0xffe9) st->es_incomplete = 1;
       l2 = parse_pes_header(t, st, buf + 6, len - 6);
+      if (l2 < 0)
+        return PARSER_DROP;
 
       if (pkt) {
-        if (l2 + 1 <= len - 6) {
+        if (l2 < len - 6 && l2 + 7 != len) {
           /* This is the rest of this frame. */
           /* Do not include trailing zero. */
-          pkt->pkt_payload = pktbuf_append(pkt->pkt_payload, buf + 6 + l2, len - 6 - l2 - 1);
+          pkt->pkt_payload = pktbuf_append(pkt->pkt_payload, buf + 6 + l2, len - 6 - l2);
         }
 
+        if (next_startcode >= 0x000001e0 && next_startcode <= 0x000001ef)
+          return PARSER_RESET;
+
         parser_deliver(t, st, pkt);
 
         st->es_curpkt = NULL;