From 322bb259337e72e6aa619afce48d0350c7aa284c Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Mon, 13 May 2024 12:57:39 +0200
Subject: [PATCH] gsf: check str len of string list property

ossfuzz issue 68297
---
 src/filters/dmx_gsf.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/filters/dmx_gsf.c b/src/filters/dmx_gsf.c
index dca7f4da13..15bac08df3 100644
--- a/src/filters/dmx_gsf.c
+++ b/src/filters/dmx_gsf.c
@@ -349,6 +349,16 @@ static GF_Err gsfdmx_read_prop(GF_BitStream *bs, GF_PropertyValue *p)
 		p->value.string_list.vals = gf_malloc(sizeof(char*) * len2);
 		for (i=0; i<len2; i++) {
 			len = gsfdmx_read_vlen(bs);
+			if (len >= GF_UINT_MAX-1) {
+				for (u32 j=0; j<i; j++) {
+					gf_free(p->value.string_list.vals[j]);
+					p->value.string_list.vals[j] = NULL;
+				}
+				p->value.string_list.nb_items = 0;
+				gf_free(p->value.string_list.vals);
+				GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[GSFDemux] invalid string length in string list property\n"));
+				return GF_NON_COMPLIANT_BITSTREAM;
+			}
 			char *str = gf_malloc(sizeof(char)*(len+1));
 			gf_bs_read_data(bs, str, len);
 			str[len] = 0;