rpms/gstreamer1-plugins-base
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
gstreamer1-plugins-base/0005-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
Wim Taymans c8375f1253 Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615 
Resolves: RHEL-70974, RHEL-71010, RHEL-70986
2024-12-16 16:02:11 +01:00

70 lines
2.4 KiB
Diff
Raw Permalink Blame History

From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 8 Nov 2024 10:45:07 +0100
Subject: [PATCH 5/8] exiftag: Prevent integer overflows and out of bounds
reads when handling undefined tags
Fixes ZDI-CAN-23896
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768>
---
gst-libs/gst/tag/gstexiftag.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c
index b615779be..558996b42 100644
--- a/gst-libs/gst/tag/gstexiftag.c
+++ b/gst-libs/gst/tag/gstexiftag.c
@@ -1372,6 +1372,8 @@ parse_exif_long_tag (GstExifReader * reader, const GstExifTagMatch * tag,
}
}
+static inline gboolean size_checked_add(gsize *dest, gsize a, gsize b) {
+ *dest = a + b; return *dest >= a; }
static void
parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
@@ -1383,6 +1385,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
if (count > 4) {
GstMapInfo info;
+ gsize alloc_size;
if (offset < reader->base_offset) {
GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
@@ -1404,14 +1407,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
return;
}
+ if (info.size - real_offset < count) {
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+ ", not adding tag %s", count, info.size, tag->gst_tag);
+ gst_buffer_unmap (reader->buffer, &info);
+ return;
+ }
+
+ if (!size_checked_add (&alloc_size, count, 1)) {
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+ ", not adding tag %s", real_offset, info.size, tag->gst_tag);
+ gst_buffer_unmap (reader->buffer, &info);
+ return;
+ }
+
/* +1 because it could be a string without the \0 */
- data = malloc (sizeof (guint8) * count + 1);
+ data = malloc (alloc_size);
memcpy (data, info.data + real_offset, count);
data[count] = 0;
gst_buffer_unmap (reader->buffer, &info);
} else {
- data = malloc (sizeof (guint8) * count + 1);
+ data = malloc (count + 1);
memcpy (data, (guint8 *) offset_as_data, count);
data[count] = 0;
}
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink