From 0f0ca103050670b0d15eb2971fa70e16a19f10d0 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 17 Jan 2024 17:38:15 +0100 Subject: [PATCH] CVE-2023-37327: integer overflow leading to heap overwrite in FLAC image tag handling Resolves: RHEL-19471 --- ...integer-overflow-in-available-data-c.patch | 55 +++++++++++++++++++ gstreamer1-plugins-good.spec | 10 +++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch diff --git a/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch b/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch new file mode 100644 index 0000000..b20f286 --- /dev/null +++ b/0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch @@ -0,0 +1,55 @@ +From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 13:20:16 +0300 +Subject: [PATCH] flacparse: Avoid integer overflow in available data check for + image tags + +If the image length as stored in the file is some bogus integer then +adding it to the current byte readers position can overflow and wrongly +have the check for enough available data succeed. + +This then later can cause NULL pointer dereferences or out of bounds +reads/writes when actually reading the image data. + +Fixes ZDI-CAN-20775 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661 + +Part-of: +--- + .../gst-plugins-good/gst/audioparsers/gstflacparse.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c +index a53b7ebc77..8ee450c65a 100644 +--- a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c ++++ b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c +@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + GstMapInfo map; + guint32 img_len = 0, img_type = 0; + guint32 img_mimetype_len = 0, img_description_len = 0; ++ const guint8 *img_data; + + gst_buffer_map (buffer, &map, GST_MAP_READ); + gst_byte_reader_init (&reader, map.data, map.size); +@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + if (!gst_byte_reader_get_uint32_be (&reader, &img_len)) + goto error; + +- if (gst_byte_reader_get_pos (&reader) + img_len > map.size) ++ if (!gst_byte_reader_get_data (&reader, img_len, &img_data)) + goto error; + + GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len); +@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) + if (flacparse->tags == NULL) + flacparse->tags = gst_tag_list_new_empty (); + +- gst_tag_list_add_id3_image (flacparse->tags, +- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type); ++ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type); + } + + gst_buffer_unmap (buffer, &map); +-- +2.43.0 + diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec index 76bbfc1..4992866 100644 --- a/gstreamer1-plugins-good.spec +++ b/gstreamer1-plugins-good.spec @@ -17,7 +17,7 @@ Name: gstreamer1-plugins-good Version: 1.22.1 -Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer plugins with good code and licensing License: LGPLv2+ @@ -37,6 +37,8 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin # See http://www.freedesktop.org/software/appstream/docs/ for more details. Source1: gstreamer-good.appdata.xml +Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch + BuildRequires: meson >= 0.48.0 BuildRequires: gcc BuildRequires: gcc-c++ @@ -163,6 +165,7 @@ to be installed. %prep %setup -q -n gst-plugins-good-%{version} +%patch0 -p3 %build %meson \ @@ -304,6 +307,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %changelog +* Wed Jan 17 2024 Wim Taymans - 1.22.1-2 +- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC + image tag handling +- Resolves: RHEL-19471 + * Thu Apr 13 2023 Wim Taymans - 1.22.1-1 - Update to 1.22.1