On Fri, 15 Nov 2024, Scott Theisen wrote:

originally from:
https://github.com/MythTV/mythtv/commit/a1d4d112c3f962a85ddd6248592421171fc8331c
referencing:
https://code.mythtv.org/trac/ticket/1887

ISO/IEC 13818-1:2021 specifies a valid range of [0x0010, 0x1FFE] in
§ 2.4.4.6 Semantic definition of fields in program association section
and Table 2-3 – PID table
---
libavformat/mpegts.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 78ab7f7efe..6d5dc3050b 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -2580,6 +2580,12 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t 
*section, int section_len
            break;

        av_log(ts->stream, AV_LOG_TRACE, "sid=0x%x pid=0x%x\n", sid, pmt_pid);
+        if (pmt_pid <= 0x000F || pmt_pid >= 0x1FFF)
+        {
+            av_log(ts->stream, AV_LOG_ERROR, "Invalid PAT ignored "
+                   "MPEG Program Number=0x%x pid=0x%x\n", sid, pmt_pid);
+            return;
+        }

Strictly speaking this is no longer needed, because the crash which is fixed by this is already fixed by the check above:

        if (pmt_pid == ts->current_pid)
            break;

Nevertheless, I am not against a more restrictive check for pids, so maybe extending the current check with this:

if (pmt_pid == ts->current_pid || pmt_pid <= 0x000F || pmt_pid >= 0x1FFF)

would be better. If you want to report an error however, maybe you should use av_log_once() to not spam the user about the same issue for every PAT packet?

Also you might consider using continue instead of return, after all there is a specific entry in the PAT which is bogus, maybe we should simply ignore only that entry.

Thanks,
Marton



        if (sid == 0x0000) {
            /* NIT info */
--
2.43.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to