CVE-2023-37327: integer overflow leading to heap overwrite in

FLAC image tag handling
Resolves: RHEL-19469
This commit is contained in:
Wim Taymans 2024-01-17 17:23:42 +01:00
parent c6fd819639
commit a662184fb2
2 changed files with 63 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
image tags
If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly
have the check for enough available data succeed.
This then later can cause NULL pointer dereferences or out of bounds
reads/writes when actually reading the image data.
Fixes ZDI-CAN-20775
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
---
gst/audioparsers/gstflacparse.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
index 2758d4cfc..cd5a48bee 100644
--- a/gst/audioparsers/gstflacparse.c
+++ b/gst/audioparsers/gstflacparse.c
@@ -1109,6 +1109,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
GstMapInfo map;
guint32 img_len = 0, img_type = 0;
guint32 img_mimetype_len = 0, img_description_len = 0;
+ const guint8 *img_data;
gst_buffer_map (buffer, &map, GST_MAP_READ);
gst_byte_reader_init (&reader, map.data, map.size);
@@ -1135,7 +1136,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
goto error;
- if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
+ if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
goto error;
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
@@ -1144,8 +1145,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (flacparse->tags == NULL)
flacparse->tags = gst_tag_list_new_empty ();
- gst_tag_list_add_id3_image (flacparse->tags,
- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
+ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
}
gst_buffer_unmap (buffer, &map);
--
2.43.0

View File

@ -15,7 +15,7 @@
Name: gstreamer1-plugins-good Name: gstreamer1-plugins-good
Version: 1.16.1 Version: 1.16.1
Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing Summary: GStreamer plugins with good code and licensing
License: LGPLv2+ License: LGPLv2+
@ -31,6 +31,7 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch
Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch
Patch2: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -166,6 +167,7 @@ to be installed.
%setup -q -n gst-plugins-good-%{version} %setup -q -n gst-plugins-good-%{version}
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
%build %build
%configure --disable-silent-rules --disable-fatal-warnings \ %configure --disable-silent-rules --disable-fatal-warnings \
@ -350,6 +352,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%changelog %changelog
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- CVE-2023-37327: integer overflow leading to heap overwrite in
FLAC image tag handling
- Resolves: RHEL-19469
* Thu Jul 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3 * Thu Jul 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
- Add patches for matroskademux. CVE-2021-3497 - Add patches for matroskademux. CVE-2021-3497
- Resolves: rhbz#1948942 - Resolves: rhbz#1948942