From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 8 Nov 2024 10:45:07 +0100 Subject: [PATCH 5/8] exiftag: Prevent integer overflows and out of bounds reads when handling undefined tags Fixes ZDI-CAN-23896 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483 Part-of: --- gst-libs/gst/tag/gstexiftag.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c index b615779be..558996b42 100644 --- a/gst-libs/gst/tag/gstexiftag.c +++ b/gst-libs/gst/tag/gstexiftag.c @@ -1372,6 +1372,8 @@ parse_exif_long_tag (GstExifReader * reader, const GstExifTagMatch * tag, } } +static inline gboolean size_checked_add(gsize *dest, gsize a, gsize b) { + *dest = a + b; return *dest >= a; } static void parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag, @@ -1383,6 +1385,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag, if (count > 4) { GstMapInfo info; + gsize alloc_size; if (offset < reader->base_offset) { GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset, @@ -1404,14 +1407,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag, return; } + if (info.size - real_offset < count) { + GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT + ", not adding tag %s", count, info.size, tag->gst_tag); + gst_buffer_unmap (reader->buffer, &info); + return; + } + + if (!size_checked_add (&alloc_size, count, 1)) { + GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT + ", not adding tag %s", real_offset, info.size, tag->gst_tag); + gst_buffer_unmap (reader->buffer, &info); + return; + } + /* +1 because it could be a string without the \0 */ - data = malloc (sizeof (guint8) * count + 1); + data = malloc (alloc_size); memcpy (data, info.data + real_offset, count); data[count] = 0; gst_buffer_unmap (reader->buffer, &info); } else { - data = malloc (sizeof (guint8) * count + 1); + data = malloc (count + 1); memcpy (data, (guint8 *) offset_as_data, count); data[count] = 0; } -- 2.47.0