CVE-2023-37327: integer overflow leading to heap overwrite in
FLAC image tag handling Resolves: RHEL-19469
This commit is contained in:
parent
c6fd819639
commit
a662184fb2
@ -0,0 +1,55 @@
|
|||||||
|
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||||
|
Date: Tue, 13 Jun 2023 13:20:16 +0300
|
||||||
|
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
|
||||||
|
image tags
|
||||||
|
|
||||||
|
If the image length as stored in the file is some bogus integer then
|
||||||
|
adding it to the current byte readers position can overflow and wrongly
|
||||||
|
have the check for enough available data succeed.
|
||||||
|
|
||||||
|
This then later can cause NULL pointer dereferences or out of bounds
|
||||||
|
reads/writes when actually reading the image data.
|
||||||
|
|
||||||
|
Fixes ZDI-CAN-20775
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
|
||||||
|
---
|
||||||
|
gst/audioparsers/gstflacparse.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
|
||||||
|
index 2758d4cfc..cd5a48bee 100644
|
||||||
|
--- a/gst/audioparsers/gstflacparse.c
|
||||||
|
+++ b/gst/audioparsers/gstflacparse.c
|
||||||
|
@@ -1109,6 +1109,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||||
|
GstMapInfo map;
|
||||||
|
guint32 img_len = 0, img_type = 0;
|
||||||
|
guint32 img_mimetype_len = 0, img_description_len = 0;
|
||||||
|
+ const guint8 *img_data;
|
||||||
|
|
||||||
|
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
||||||
|
gst_byte_reader_init (&reader, map.data, map.size);
|
||||||
|
@@ -1135,7 +1136,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||||
|
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
- if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
|
||||||
|
+ if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
|
||||||
|
@@ -1144,8 +1145,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||||
|
if (flacparse->tags == NULL)
|
||||||
|
flacparse->tags = gst_tag_list_new_empty ();
|
||||||
|
|
||||||
|
- gst_tag_list_add_id3_image (flacparse->tags,
|
||||||
|
- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
|
||||||
|
+ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
|
||||||
|
}
|
||||||
|
|
||||||
|
gst_buffer_unmap (buffer, &map);
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
Name: gstreamer1-plugins-good
|
Name: gstreamer1-plugins-good
|
||||||
Version: 1.16.1
|
Version: 1.16.1
|
||||||
Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist}
|
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||||
Summary: GStreamer plugins with good code and licensing
|
Summary: GStreamer plugins with good code and licensing
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -31,6 +31,7 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
|
|||||||
|
|
||||||
Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch
|
Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch
|
||||||
Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch
|
Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch
|
||||||
|
Patch2: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -166,6 +167,7 @@ to be installed.
|
|||||||
%setup -q -n gst-plugins-good-%{version}
|
%setup -q -n gst-plugins-good-%{version}
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||||
@ -350,6 +352,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
|
||||||
|
- CVE-2023-37327: integer overflow leading to heap overwrite in
|
||||||
|
FLAC image tag handling
|
||||||
|
- Resolves: RHEL-19469
|
||||||
|
|
||||||
* Thu Jul 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
|
* Thu Jul 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
|
||||||
- Add patches for matroskademux. CVE-2021-3497
|
- Add patches for matroskademux. CVE-2021-3497
|
||||||
- Resolves: rhbz#1948942
|
- Resolves: rhbz#1948942
|
||||||
|
Loading…
Reference in New Issue
Block a user