Patch CVE-2023-40474: Integer overflow

Patch CVE-2023-40475: Integer overflow
Patch CVE-2023-40476: Integer overflow in H.265 video parser
Resolves: RHEL-19500, RHEL-19504, RHEL-19507
This commit is contained in:
Wim Taymans 2024-01-17 13:22:17 +01:00
parent 63890049c3
commit ab2ecef3dd
4 changed files with 214 additions and 1 deletions

View File

@ -0,0 +1,114 @@
From b6353c44ca9f005d3b57ee07fda0570d80eecc0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:45:01 +0300
Subject: [PATCH 3/5] mxfdemux: Fix integer overflow causing out of bounds
writes when handling invalid uncompressed video
Check ahead of time when parsing the track information whether
width, height and bpp are valid and usable without overflows.
Fixes ZDI-CAN-21660, CVE-2023-40474
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
---
gst/mxf/mxfup.c | 51 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 43 insertions(+), 8 deletions(-)
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
index d8b6664da..ba86255f2 100644
--- a/gst/mxf/mxfup.c
+++ b/gst/mxf/mxfup.c
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.43.0

View File

@ -0,0 +1,45 @@
From 706abb367ab366be142fbea4e454fdaa7e7e2bcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:47:03 +0300
Subject: [PATCH 4/5] mxfdemux: Check number of channels for AES3 audio
Only up to 8 channels are allowed and using a higher number would cause
integer overflows when copying the data, and lead to out of bound
writes.
Also check that each buffer is at least 4 bytes long to avoid another
overflow.
Fixes ZDI-CAN-21661, CVE-2023-40475
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
---
gst/mxf/mxfd10.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
index 21401cf52..99c197ab9 100644
--- a/gst/mxf/mxfd10.c
+++ b/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");
--
2.43.0

View File

@ -0,0 +1,42 @@
From 33868442087aac6f26f18aeafd527c1a75946f34 Mon Sep 17 00:00:00 2001
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Date: Wed, 17 Jan 2024 12:50:34 +0100
Subject: [PATCH 5/5] h265parser: Fix possible overflow using
max_sub_layers_minus1
This fixes a possible overflow that can be triggered by an invalid value of
max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
but the allowed range is 0 to 6 only.
Fixes ZDI-CAN-21768, CVE-2023-40476
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
---
gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index 16fce006b..2e8ef182b 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1490,6 +1490,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
/* skip reserved_0xffff_16bits */
@@ -1669,6 +1670,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
sps->vps = vps;
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
--
2.43.0

View File

@ -14,7 +14,7 @@
Name: gstreamer1-plugins-bad-free Name: gstreamer1-plugins-bad-free
Version: 1.16.1 Version: 1.16.1
Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework "bad" plugins Summary: GStreamer streaming media framework "bad" plugins
License: LGPLv2+ and LGPLv2 License: LGPLv2+ and LGPLv2
@ -33,6 +33,9 @@ Source1: gst-p-bad-cleanup.sh
#upstream patches #upstream patches
Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
Patch1: 0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
Patch2: 0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
Patch3: 0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-devel >= %{version}
BuildRequires: gstreamer1-plugins-base-devel >= %{version} BuildRequires: gstreamer1-plugins-base-devel >= %{version}
@ -186,6 +189,9 @@ aren't tested well enough, or the code is not of good enough quality.
%prep %prep
%setup -q -n gst-plugins-bad-%{version} %setup -q -n gst-plugins-bad-%{version}
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build %build
%configure --disable-silent-rules --disable-fatal-warnings \ %configure --disable-silent-rules --disable-fatal-warnings \
@ -474,6 +480,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%changelog %changelog
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- Patch CVE-2023-40474: Integer overflow
- Patch CVE-2023-40475: Integer overflow
- Patch CVE-2023-40476: Integer overflow in H.265 video parser
- Resolves: RHEL-19500, RHEL-19504, RHEL-19507
* Thu Jan 11 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3 * Thu Jan 11 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
- Bump to avoid conflict with z stream. - Bump to avoid conflict with z stream.
- Resolves: RHEL-16794 - Resolves: RHEL-16794