From 478653961d090f868521e8513518fe8d7c67cba3 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 16 Dec 2024 11:26:07 +0100 Subject: [PATCH 7/8] vorbis_parse: check writes to GstOggStream.vorbis_mode_sizes Thanks to Antonio Morales for finding and reporting the issue. Fixes GHSL-2024-117 Fixes gstreamer#3875 Also perform out-of-bounds check for accesses to op->packet Part-of: --- ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/ext/ogg/vorbis_parse.c b/ext/ogg/vorbis_parse.c index 2d85e9397..df52f7eb5 100644 --- a/ext/ogg/vorbis_parse.c +++ b/ext/ogg/vorbis_parse.c @@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) if (offset == 0) { offset = 8; current_pos -= 1; + + /* have we underrun? */ + if (current_pos < op->packet) + return -1; } } @@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) if (offset == 7) current_pos -= 1; + /* have we underrun? */ + if (current_pos < op->packet + 5) + return -1; + if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0) || current_pos[-4] != 0 @@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) /* Give ourselves a chance to recover if we went back too far by using * the size check. */ for (ii = 0; ii < 2; ii++) { + if (offset > 4) { + /* have we underrun? */ + if (current_pos < op->packet) + return -1; + size_check = (current_pos[0] >> (offset - 5)) & 0x3F; } else { + /* have we underrun? */ + if (current_pos < op->packet + 1) + return -1; + /* mask part of byte from current_pos */ size_check = (current_pos[0] & ((1 << (offset + 1)) - 1)); /* shift to appropriate position */ @@ -229,6 +246,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op) mode_size_ptr = pad->vorbis_mode_sizes; + if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) { + return -1; + } + for (i = 0; i < size; i++) { offset = (offset + 1) % 8; if (offset == 0) -- 2.47.0