CVE-2023-37327: integer overflow leading to heap overwrite in

FLAC image tag handling
Resolves: RHEL-19469

0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch

@@ -0,0 +1,55 @@
+From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 13:20:16 +0300
+Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
+ image tags
+
+If the image length as stored in the file is some bogus integer then
+adding it to the current byte readers position can overflow and wrongly
+have the check for enough available data succeed.
+
+This then later can cause NULL pointer dereferences or out of bounds
+reads/writes when actually reading the image data.
+
+Fixes ZDI-CAN-20775
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
+---
+ gst/audioparsers/gstflacparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
+index 2758d4cfc..cd5a48bee 100644
+--- a/gst/audioparsers/gstflacparse.c
++++ b/gst/audioparsers/gstflacparse.c
+@@ -1109,6 +1109,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
+   GstMapInfo map;
+   guint32 img_len = 0, img_type = 0;
+   guint32 img_mimetype_len = 0, img_description_len = 0;
++  const guint8 *img_data;
+ 
+   gst_buffer_map (buffer, &map, GST_MAP_READ);
+   gst_byte_reader_init (&reader, map.data, map.size);
+@@ -1135,7 +1136,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
+   if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
+     goto error;
+ 
+-  if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
++  if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
+     goto error;
+ 
+   GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
+@@ -1144,8 +1145,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
+     if (flacparse->tags == NULL)
+       flacparse->tags = gst_tag_list_new_empty ();
+ 
+-    gst_tag_list_add_id3_image (flacparse->tags,
+-        map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
++    gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
+   }
+ 
+   gst_buffer_unmap (buffer, &map);
+-- 
+2.43.0
+

gstreamer1-plugins-good.spec

@@ -15,7 +15,7 @@
 
 Name:           gstreamer1-plugins-good
 Version:        1.16.1
-Release:        3%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        4%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer plugins with good code and licensing
 
 License:        LGPLv2+
@@ -31,6 +31,7 @@ Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
 
 Patch0:         d62cecf193d6bf3b16fe91d725f4514161f602c3.patch
 Patch1:         9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch
+Patch2:		0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
 
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@@ -166,6 +167,7 @@ to be installed.
 %setup -q -n gst-plugins-good-%{version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure --disable-silent-rules --disable-fatal-warnings \
@@ -350,6 +352,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
 
 %changelog
+* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
+- CVE-2023-37327: integer overflow leading to heap overwrite in
+  FLAC image tag handling
+- Resolves: RHEL-19469
+
 * Thu Jul 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
 - Add patches for matroskademux. CVE-2021-3497
 - Resolves: rhbz#1948942