CVE-2023-37327: integer overflow leading to heap overwrite in FLAC
image tag handling Resolves: RHEL-19471
This commit is contained in:
parent
04e5dd4a17
commit
0f0ca10305
@ -0,0 +1,55 @@
|
||||
From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Tue, 13 Jun 2023 13:20:16 +0300
|
||||
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
|
||||
image tags
|
||||
|
||||
If the image length as stored in the file is some bogus integer then
|
||||
adding it to the current byte readers position can overflow and wrongly
|
||||
have the check for enough available data succeed.
|
||||
|
||||
This then later can cause NULL pointer dereferences or out of bounds
|
||||
reads/writes when actually reading the image data.
|
||||
|
||||
Fixes ZDI-CAN-20775
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
|
||||
---
|
||||
.../gst-plugins-good/gst/audioparsers/gstflacparse.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
|
||||
index a53b7ebc77..8ee450c65a 100644
|
||||
--- a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
|
||||
+++ b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
|
||||
@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||
GstMapInfo map;
|
||||
guint32 img_len = 0, img_type = 0;
|
||||
guint32 img_mimetype_len = 0, img_description_len = 0;
|
||||
+ const guint8 *img_data;
|
||||
|
||||
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
||||
gst_byte_reader_init (&reader, map.data, map.size);
|
||||
@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
|
||||
goto error;
|
||||
|
||||
- if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
|
||||
+ if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
|
||||
goto error;
|
||||
|
||||
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
|
||||
@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||
if (flacparse->tags == NULL)
|
||||
flacparse->tags = gst_tag_list_new_empty ();
|
||||
|
||||
- gst_tag_list_add_id3_image (flacparse->tags,
|
||||
- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
|
||||
+ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
|
||||
}
|
||||
|
||||
gst_buffer_unmap (buffer, &map);
|
||||
--
|
||||
2.43.0
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
Name: gstreamer1-plugins-good
|
||||
Version: 1.22.1
|
||||
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer plugins with good code and licensing
|
||||
|
||||
License: LGPLv2+
|
||||
@ -37,6 +37,8 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
|
||||
# See http://www.freedesktop.org/software/appstream/docs/ for more details.
|
||||
Source1: gstreamer-good.appdata.xml
|
||||
|
||||
Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
|
||||
|
||||
BuildRequires: meson >= 0.48.0
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
@ -163,6 +165,7 @@ to be installed.
|
||||
|
||||
%prep
|
||||
%setup -q -n gst-plugins-good-%{version}
|
||||
%patch0 -p3
|
||||
|
||||
%build
|
||||
%meson \
|
||||
@ -304,6 +307,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
|
||||
- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC
|
||||
image tag handling
|
||||
- Resolves: RHEL-19471
|
||||
|
||||
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
|
||||
- Update to 1.22.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user