Hi!
> I was using mpegdemux to demux an mpeg stream I ripped from a dvd, when it
> started to malloc about 4 GB of memory and trashing my system. A bit of
> investigation exposed an integer overflow in mpeg_demux.c.
Upon further debugging, I managed to find the real cause of the problem
(I think). The issue is cause by the --ac3 option, which according to
the man page does the following:
| AC3 sound packets in DVD MPEG2 streams have a 3 byte header that is
| neither part of the MPEG specification nor of the AC3 specification.
| When this option is used, these 3 bytes are removed to produce a
| correct AC3 stream.
However, in the actual code, these 3 bytes are skipped not only for AC3
streams (stream id 0xbd, substream 0x80-x09f), but for _any_ private
substream (including, for example, vobsub subtitle streams).
Here's an updated patch to fix this. I kept the check for the integer
overflow in, as it might expose othe rbug in the code.
Please also send this patch upstream.
--- mpeg_demux.c.orig 2008-12-27 23:53:03.340719670 +0100
+++ mpeg_demux.c 2008-12-28 12:08:56.951720038 +0100
@@ -170,7 +172,7 @@
fpi = 256 + ssid;
cnt += 1;
- if (par_dvdac3) {
+ if (par_dvdac3 && ssid >= 0x80 && ssid < 0xa0 ) {
cnt += 3;
}
}
@@ -186,6 +188,13 @@
mpegd_skip (mpeg, cnt);
}
+ if ( cnt > mpeg->packet.size )
+ {
+ fprintf( stderr, "Whoopsie, count is less than packet size\n" );
+ fprintf( stderr, "broken MPEG stream bailing out\n" );
+ exit(1);
+ }
+
cnt = mpeg->packet.size - cnt;
if ((sid == 0xbd) && par_dvdsub) {
--
+--------------------------------------------------------------+
| Bas Zoetekouw | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie: |
| [email protected] | The dew shall weep thy fall tonight; |
+--------------------| For thou must die. |
+-----------------------------------------+
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
