In filters/reframe_adts.c, function adts_dmx_process.
There is a sub codes like as below:
`
size = ctx->hdr.frame_size - ctx->hdr.hdr_size;
offset = ctx->hdr.hdr_size;
......
memcpy(output, sync + offset, size);
`
However, with crafted file, ctx->hdr.frame_size may be smaller than ctx->hdr.hdr_size.
So, the size may be a negative number, which results a heap overflow in memcpy.
In
filters/reframe_adts.c, functionadts_dmx_process.There is a sub codes like as below:
`
size = ctx->hdr.frame_size - ctx->hdr.hdr_size;
offset = ctx->hdr.hdr_size;
......
memcpy(output, sync + offset, size);
`
However, with crafted file, ctx->hdr.frame_size may be smaller than ctx->hdr.hdr_size.
So, the size may be a negative number, which results a heap overflow in memcpy.
In Command line:

gpac -info bug6
In gdb:

The crafted file is in the attached zip:
bug6.zip
The text was updated successfully, but these errors were encountered: