CVE-2023-37328: heap overwrite in subtitle parsing
This commit is contained in:
Wim Taymans
root
parent
5fe49a7162
commit
9c13aaac7a
|
|
@ -0,0 +1 @@
|
|||
489d54fcc3c8ee63cd03614e2f0e1ebfd5815539 gst-plugins-base-1.22.1.tar.xz
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Tue, 13 Jun 2023 12:53:13 +0300
|
||||
Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
|
||||
opening `<`
|
||||
|
||||
Previously when fixing up subrip markip, we were looking from the start
|
||||
of the remaining buffer instead. Due to how skipping over closing tags
|
||||
works, the remaining buffer will still contain the closing `>` of the
|
||||
previous tag so if a unexpected closing tag is found after another
|
||||
closing tag, we would potentially do an out of bounds memmove().
|
||||
|
||||
Fixes ZDI-CAN-20968
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
|
||||
---
|
||||
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
|
||||
index 7aa922cdd8..d0960a971a 100644
|
||||
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
|
||||
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
|
||||
@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
|
||||
}
|
||||
|
||||
if (*next_tag == '<' && *(next_tag + 1) == '/') {
|
||||
- end_tag = strchr (cur, '>');
|
||||
+ end_tag = strchr (next_tag, '>');
|
||||
if (end_tag) {
|
||||
const gchar *last = NULL;
|
||||
if (num_open_tags > 0)
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Tue, 13 Jun 2023 12:58:26 +0300
|
||||
Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
|
||||
instead of only skipping `<`
|
||||
|
||||
This is a small optimization and avoids restarting the next parsing
|
||||
iteration on already accepted data.
|
||||
|
||||
On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
|
||||
previous commit independently is also a valid fix for it.
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
|
||||
---
|
||||
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
|
||||
index d0960a971a..b33ddbb2a7 100644
|
||||
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
|
||||
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
|
||||
@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
|
||||
} else {
|
||||
--num_open_tags;
|
||||
g_ptr_array_remove_index (open_tags, num_open_tags);
|
||||
+ cur = end_tag + 1;
|
||||
+ continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
Name: gstreamer1-plugins-base
|
||||
Version: 1.22.1
|
||||
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer streaming media framework base plugins
|
||||
|
||||
License: LGPLv2+
|
||||
|
|
@ -21,6 +21,8 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin
|
|||
Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
|
||||
|
||||
Patch1: xdg-compile.patch
|
||||
Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
|
||||
Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
|
||||
|
||||
BuildRequires: meson >= 0.48.0
|
||||
BuildRequires: gcc
|
||||
|
|
@ -119,6 +121,8 @@ for the GStreamer Base Plugins library.
|
|||
%setup -q -n gst-plugins-base-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p3
|
||||
%patch3 -p3
|
||||
|
||||
%build
|
||||
%meson \
|
||||
|
|
@ -483,6 +487,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
|
||||
- CVE-2023-37328: heap overwrite in subtitle parsing
|
||||
- Resolves: RHEL-19475
|
||||
|
||||
* Wed Apr 12 2021 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
|
||||
- Update to 1.22.1
|
||||
- Resolves: rhbz#2144557
|
||||
|
|
|
|||
Loading…
Reference in New Issue