CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing

Resolves: RHEL-19472
This commit is contained in:
Wim Taymans 2024-01-17 16:10:29 +01:00
parent 4e44233231
commit d41e314f67
3 changed files with 78 additions and 1 deletions

View File

@ -0,0 +1,36 @@
From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:53:13 +0300
Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
opening `<`
Previously when fixing up subrip markip, we were looking from the start
of the remaining buffer instead. Due to how skipping over closing tags
works, the remaining buffer will still contain the closing `>` of the
previous tag so if a unexpected closing tag is found after another
closing tag, we would potentially do an out of bounds memmove().
Fixes ZDI-CAN-20968
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
gst/subparse/gstsubparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
index 425415874..e8d3ecaef 100644
--- a/gst/subparse/gstsubparse.c
+++ b/gst/subparse/gstsubparse.c
@@ -814,7 +814,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
}
if (*next_tag == '<' && *(next_tag + 1) == '/') {
- end_tag = strchr (cur, '>');
+ end_tag = strchr (next_tag, '>');
if (end_tag) {
const gchar *last = NULL;
if (num_open_tags > 0)
--
2.43.0

View File

@ -0,0 +1,33 @@
From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:58:26 +0300
Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
instead of only skipping `<`
This is a small optimization and avoids restarting the next parsing
iteration on already accepted data.
On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
previous commit independently is also a valid fix for it.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
gst/subparse/gstsubparse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
index e8d3ecaef..9336419e1 100644
--- a/gst/subparse/gstsubparse.c
+++ b/gst/subparse/gstsubparse.c
@@ -827,6 +827,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
} else {
--num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags);
+ cur = end_tag + 1;
+ continue;
}
}
}
--
2.43.0

View File

@ -6,7 +6,7 @@
Name: gstreamer1-plugins-base
Version: 1.16.1
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework base plugins
License: LGPLv2+
@ -20,6 +20,8 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin
%endif
Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
Patch1: 0002-video-disable-ORC_RESTRICT.patch
Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
BuildRequires: gcc-c++
BuildRequires: gstreamer1-devel >= %{version}
@ -116,6 +118,8 @@ for the GStreamer Base Plugins library.
%setup -q -n gst-plugins-base-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
# die rpath (method of modifying libtool fails here)
@ -483,6 +487,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
%changelog
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
- CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing
- Resolves: RHEL-19472
* Wed Dec 9 2020 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
- Fix man file names for Flatpak builds
- Resolves: rhbz#1895935