CVE-2023-37327: integer overflow leading to heap overwrite in FLAC

image tag handling
Resolves: RHEL-19471
This commit is contained in:
Wim Taymans 2024-01-17 17:38:15 +01:00
parent 04e5dd4a17
commit 0f0ca10305
2 changed files with 64 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
image tags
If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly
have the check for enough available data succeed.
This then later can cause NULL pointer dereferences or out of bounds
reads/writes when actually reading the image data.
Fixes ZDI-CAN-20775
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
---
.../gst-plugins-good/gst/audioparsers/gstflacparse.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
index a53b7ebc77..8ee450c65a 100644
--- a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
+++ b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
GstMapInfo map;
guint32 img_len = 0, img_type = 0;
guint32 img_mimetype_len = 0, img_description_len = 0;
+ const guint8 *img_data;
gst_buffer_map (buffer, &map, GST_MAP_READ);
gst_byte_reader_init (&reader, map.data, map.size);
@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
goto error;
- if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
+ if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
goto error;
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (flacparse->tags == NULL)
flacparse->tags = gst_tag_list_new_empty ();
- gst_tag_list_add_id3_image (flacparse->tags,
- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
+ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
}
gst_buffer_unmap (buffer, &map);
--
2.43.0

View File

@ -17,7 +17,7 @@
Name: gstreamer1-plugins-good Name: gstreamer1-plugins-good
Version: 1.22.1 Version: 1.22.1
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing Summary: GStreamer plugins with good code and licensing
License: LGPLv2+ License: LGPLv2+
@ -37,6 +37,8 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
# See http://www.freedesktop.org/software/appstream/docs/ for more details. # See http://www.freedesktop.org/software/appstream/docs/ for more details.
Source1: gstreamer-good.appdata.xml Source1: gstreamer-good.appdata.xml
Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
BuildRequires: meson >= 0.48.0 BuildRequires: meson >= 0.48.0
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -163,6 +165,7 @@ to be installed.
%prep %prep
%setup -q -n gst-plugins-good-%{version} %setup -q -n gst-plugins-good-%{version}
%patch0 -p3
%build %build
%meson \ %meson \
@ -304,6 +307,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%changelog %changelog
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC
image tag handling
- Resolves: RHEL-19471
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1 * Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
- Update to 1.22.1 - Update to 1.22.1