Add fix for gstreamer FLIC decoder vulnerability
This commit is contained in:
parent
f087786b62
commit
a7f338d7c1
304
0001-flxdec-add-some-write-bounds-checking.patch
Normal file
304
0001-flxdec-add-some-write-bounds-checking.patch
Normal file
@ -0,0 +1,304 @@
|
||||
From 6b6c3bec094d7b31456be257d9c575bdfd044861 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Waters <matthew@centricular.com>
|
||||
Date: Tue, 22 Nov 2016 19:05:00 +1100
|
||||
Subject: [PATCH 1/4] flxdec: add some write bounds checking
|
||||
|
||||
Without checking the bounds of the frame we are writing into, we can
|
||||
write off the end of the destination buffer.
|
||||
|
||||
https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=774834
|
||||
---
|
||||
gst/flx/gstflxdec.c | 116 +++++++++++++++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 91 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/gst/flx/gstflxdec.c b/gst/flx/gstflxdec.c
|
||||
index 604be2f..d51a8e6 100644
|
||||
--- a/gst/flx/gstflxdec.c
|
||||
+++ b/gst/flx/gstflxdec.c
|
||||
@@ -74,9 +74,9 @@ static gboolean gst_flxdec_src_query_handler (GstPad * pad, GstObject * parent,
|
||||
GstQuery * query);
|
||||
|
||||
static void flx_decode_color (GstFlxDec *, guchar *, guchar *, gint);
|
||||
-static void flx_decode_brun (GstFlxDec *, guchar *, guchar *);
|
||||
-static void flx_decode_delta_fli (GstFlxDec *, guchar *, guchar *);
|
||||
-static void flx_decode_delta_flc (GstFlxDec *, guchar *, guchar *);
|
||||
+static gboolean flx_decode_brun (GstFlxDec *, guchar *, guchar *);
|
||||
+static gboolean flx_decode_delta_fli (GstFlxDec *, guchar *, guchar *);
|
||||
+static gboolean flx_decode_delta_flc (GstFlxDec *, guchar *, guchar *);
|
||||
|
||||
#define rndalign(off) ((off) + ((off) & 1))
|
||||
|
||||
@@ -203,13 +203,14 @@ gst_flxdec_sink_event_handler (GstPad * pad, GstObject * parent,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static gboolean
|
||||
flx_decode_chunks (GstFlxDec * flxdec, gulong count, guchar * data,
|
||||
guchar * dest)
|
||||
{
|
||||
FlxFrameChunk *hdr;
|
||||
+ gboolean ret = TRUE;
|
||||
|
||||
- g_return_if_fail (data != NULL);
|
||||
+ g_return_val_if_fail (data != NULL, FALSE);
|
||||
|
||||
while (count--) {
|
||||
hdr = (FlxFrameChunk *) data;
|
||||
@@ -228,17 +229,17 @@ flx_decode_chunks (GstFlxDec * flxdec, gulong count, guchar * data,
|
||||
break;
|
||||
|
||||
case FLX_BRUN:
|
||||
- flx_decode_brun (flxdec, data, dest);
|
||||
+ ret = flx_decode_brun (flxdec, data, dest);
|
||||
data += rndalign (hdr->size) - FlxFrameChunkSize;
|
||||
break;
|
||||
|
||||
case FLX_LC:
|
||||
- flx_decode_delta_fli (flxdec, data, dest);
|
||||
+ ret = flx_decode_delta_fli (flxdec, data, dest);
|
||||
data += rndalign (hdr->size) - FlxFrameChunkSize;
|
||||
break;
|
||||
|
||||
case FLX_SS2:
|
||||
- flx_decode_delta_flc (flxdec, data, dest);
|
||||
+ ret = flx_decode_delta_flc (flxdec, data, dest);
|
||||
data += rndalign (hdr->size) - FlxFrameChunkSize;
|
||||
break;
|
||||
|
||||
@@ -256,7 +257,12 @@ flx_decode_chunks (GstFlxDec * flxdec, gulong count, guchar * data,
|
||||
data += rndalign (hdr->size) - FlxFrameChunkSize;
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ if (!ret)
|
||||
+ break;
|
||||
}
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -289,13 +295,13 @@ flx_decode_color (GstFlxDec * flxdec, guchar * data, guchar * dest, gint scale)
|
||||
}
|
||||
}
|
||||
|
||||
-static void
|
||||
+static gboolean
|
||||
flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
{
|
||||
gulong count, lines, row;
|
||||
guchar x;
|
||||
|
||||
- g_return_if_fail (flxdec != NULL);
|
||||
+ g_return_val_if_fail (flxdec != NULL, FALSE);
|
||||
|
||||
lines = flxdec->hdr.height;
|
||||
while (lines--) {
|
||||
@@ -313,12 +319,21 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
if (count > 0x7f) {
|
||||
/* literal run */
|
||||
count = 0x100 - count;
|
||||
+ if ((glong) row - count < 0) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
row -= count;
|
||||
|
||||
while (count--)
|
||||
*dest++ = *data++;
|
||||
|
||||
} else {
|
||||
+ if ((glong) row - count < 0) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
/* replicate run */
|
||||
row -= count;
|
||||
x = *data++;
|
||||
@@ -328,22 +343,28 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
}
|
||||
}
|
||||
}
|
||||
+
|
||||
+ return TRUE;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static gboolean
|
||||
flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
{
|
||||
gulong count, packets, lines, start_line;
|
||||
guchar *start_p, x;
|
||||
|
||||
- g_return_if_fail (flxdec != NULL);
|
||||
- g_return_if_fail (flxdec->delta_data != NULL);
|
||||
+ g_return_val_if_fail (flxdec != NULL, FALSE);
|
||||
+ g_return_val_if_fail (flxdec->delta_data != NULL, FALSE);
|
||||
|
||||
/* use last frame for delta */
|
||||
memcpy (dest, flxdec->delta_data, flxdec->size);
|
||||
|
||||
start_line = (data[0] + (data[1] << 8));
|
||||
lines = (data[2] + (data[3] << 8));
|
||||
+ if (start_line + lines > flxdec->hdr.height) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLI packet detected. too many lines.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
data += 4;
|
||||
|
||||
/* start position of delta */
|
||||
@@ -356,7 +377,8 @@ flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
|
||||
while (packets--) {
|
||||
/* skip count */
|
||||
- dest += *data++;
|
||||
+ guchar skip = *data++;
|
||||
+ dest += skip;
|
||||
|
||||
/* RLE count */
|
||||
count = *data++;
|
||||
@@ -364,12 +386,24 @@ flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
if (count > 0x7f) {
|
||||
/* literal run */
|
||||
count = 0x100 - count;
|
||||
- x = *data++;
|
||||
|
||||
+ if (skip + count > flxdec->hdr.width) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLI packet detected. "
|
||||
+ "line too long.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ x = *data++;
|
||||
while (count--)
|
||||
*dest++ = x;
|
||||
|
||||
} else {
|
||||
+ if (skip + count > flxdec->hdr.width) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLI packet detected. "
|
||||
+ "line too long.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
/* replicate run */
|
||||
while (count--)
|
||||
*dest++ = *data++;
|
||||
@@ -378,21 +412,27 @@ flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
start_p += flxdec->hdr.width;
|
||||
dest = start_p;
|
||||
}
|
||||
+
|
||||
+ return TRUE;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static gboolean
|
||||
flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
{
|
||||
gulong count, lines, start_l, opcode;
|
||||
guchar *start_p;
|
||||
|
||||
- g_return_if_fail (flxdec != NULL);
|
||||
- g_return_if_fail (flxdec->delta_data != NULL);
|
||||
+ g_return_val_if_fail (flxdec != NULL, FALSE);
|
||||
+ g_return_val_if_fail (flxdec->delta_data != NULL, FALSE);
|
||||
|
||||
/* use last frame for delta */
|
||||
memcpy (dest, flxdec->delta_data, flxdec->size);
|
||||
|
||||
lines = (data[0] + (data[1] << 8));
|
||||
+ if (lines > flxdec->hdr.height) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. too many lines.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
data += 2;
|
||||
|
||||
start_p = dest;
|
||||
@@ -405,9 +445,15 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
while ((opcode = (data[0] + (data[1] << 8))) & 0xc000) {
|
||||
data += 2;
|
||||
if ((opcode & 0xc000) == 0xc000) {
|
||||
- /* skip count */
|
||||
- start_l += (0x10000 - opcode);
|
||||
- dest += flxdec->hdr.width * (0x10000 - opcode);
|
||||
+ /* line skip count */
|
||||
+ gulong skip = (0x10000 - opcode);
|
||||
+ if (skip > flxdec->hdr.height) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. "
|
||||
+ "skip line count too big.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ start_l += skip;
|
||||
+ dest += flxdec->hdr.width * skip;
|
||||
} else {
|
||||
/* last pixel */
|
||||
dest += flxdec->hdr.width;
|
||||
@@ -419,7 +465,8 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
/* last opcode is the packet count */
|
||||
while (opcode--) {
|
||||
/* skip count */
|
||||
- dest += *data++;
|
||||
+ guchar skip = *data++;
|
||||
+ dest += skip;
|
||||
|
||||
/* RLE count */
|
||||
count = *data++;
|
||||
@@ -427,12 +474,25 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
if (count > 0x7f) {
|
||||
/* replicate word run */
|
||||
count = 0x100 - count;
|
||||
+
|
||||
+ if (skip + count > flxdec->hdr.width) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. "
|
||||
+ "line too long.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
while (count--) {
|
||||
*dest++ = data[0];
|
||||
*dest++ = data[1];
|
||||
}
|
||||
data += 2;
|
||||
} else {
|
||||
+ if (skip + count > flxdec->hdr.width) {
|
||||
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. "
|
||||
+ "line too long.");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
/* literal word run */
|
||||
while (count--) {
|
||||
*dest++ = *data++;
|
||||
@@ -442,6 +502,8 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
}
|
||||
lines--;
|
||||
}
|
||||
+
|
||||
+ return TRUE;
|
||||
}
|
||||
|
||||
static GstFlowReturn
|
||||
@@ -571,9 +633,13 @@ gst_flxdec_chain (GstPad * pad, GstObject * parent, GstBuffer * buf)
|
||||
out = gst_buffer_new_and_alloc (flxdec->size * 4);
|
||||
|
||||
/* decode chunks */
|
||||
- flx_decode_chunks (flxdec,
|
||||
- ((FlxFrameType *) chunk)->chunks,
|
||||
- chunk + FlxFrameTypeSize, flxdec->frame_data);
|
||||
+ if (!flx_decode_chunks (flxdec,
|
||||
+ ((FlxFrameType *) chunk)->chunks,
|
||||
+ chunk + FlxFrameTypeSize, flxdec->frame_data)) {
|
||||
+ GST_ELEMENT_ERROR (flxdec, STREAM, DECODE,
|
||||
+ ("%s", "Could not decode chunk"), NULL);
|
||||
+ return GST_FLOW_ERROR;
|
||||
+ }
|
||||
|
||||
/* save copy of the current frame for possible delta. */
|
||||
memcpy (flxdec->delta_data, flxdec->frame_data, flxdec->size);
|
||||
--
|
||||
2.7.4
|
||||
|
49
0002-flxdec-fix-some-warnings-comparing-unsigned-0.patch
Normal file
49
0002-flxdec-fix-some-warnings-comparing-unsigned-0.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 35304ee4890e70cf004744c5f44a05fea46fea95 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Waters <matthew@centricular.com>
|
||||
Date: Tue, 22 Nov 2016 23:46:00 +1100
|
||||
Subject: [PATCH 2/4] flxdec: fix some warnings comparing unsigned < 0
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
bf43f44fcfada5ec4a3ce60cb374340486fe9fac was comparing an unsigned
|
||||
expression to be < 0 which was always false.
|
||||
|
||||
gstflxdec.c: In function ‘flx_decode_brun’:
|
||||
gstflxdec.c:322:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
|
||||
if ((glong) row - count < 0) {
|
||||
^
|
||||
gstflxdec.c:332:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
|
||||
if ((glong) row - count < 0) {
|
||||
^
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=774834
|
||||
---
|
||||
gst/flx/gstflxdec.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/gst/flx/gstflxdec.c b/gst/flx/gstflxdec.c
|
||||
index d51a8e6..e675c99 100644
|
||||
--- a/gst/flx/gstflxdec.c
|
||||
+++ b/gst/flx/gstflxdec.c
|
||||
@@ -319,7 +319,7 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
if (count > 0x7f) {
|
||||
/* literal run */
|
||||
count = 0x100 - count;
|
||||
- if ((glong) row - count < 0) {
|
||||
+ if ((glong) row - (glong) count < 0) {
|
||||
GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
|
||||
return FALSE;
|
||||
}
|
||||
@@ -329,7 +329,7 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
|
||||
*dest++ = *data++;
|
||||
|
||||
} else {
|
||||
- if ((glong) row - count < 0) {
|
||||
+ if ((glong) row - (glong) count < 0) {
|
||||
GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
|
||||
return FALSE;
|
||||
}
|
||||
--
|
||||
2.7.4
|
||||
|
28
0003-flxdec-Don-t-unref-parent-in-the-chain-function.patch
Normal file
28
0003-flxdec-Don-t-unref-parent-in-the-chain-function.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From c51de4f2c7beecc5193952013e7a489017ae137d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Wed, 23 Nov 2016 11:20:49 +0200
|
||||
Subject: [PATCH 3/4] flxdec: Don't unref() parent in the chain function
|
||||
|
||||
We don't own the reference here, it is owned by the caller and given to
|
||||
us for the scope of this function. Leftover mistake from 0.10 porting.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=774897
|
||||
---
|
||||
gst/flx/gstflxdec.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/gst/flx/gstflxdec.c b/gst/flx/gstflxdec.c
|
||||
index e675c99..a237976 100644
|
||||
--- a/gst/flx/gstflxdec.c
|
||||
+++ b/gst/flx/gstflxdec.c
|
||||
@@ -677,7 +677,6 @@ wrong_type:
|
||||
{
|
||||
GST_ELEMENT_ERROR (flxdec, STREAM, WRONG_TYPE, (NULL),
|
||||
("not a flx file (type %x)", flxh->type));
|
||||
- gst_object_unref (flxdec);
|
||||
return GST_FLOW_ERROR;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.7.4
|
||||
|
1038
0004-flxdec-rewrite-logic-based-on-GstByteReader-Writer.patch
Normal file
1038
0004-flxdec-rewrite-logic-based-on-GstByteReader-Writer.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -13,7 +13,7 @@
|
||||
|
||||
Name: gstreamer1-plugins-good
|
||||
Version: 1.10.1
|
||||
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer plugins with good code and licensing
|
||||
|
||||
License: LGPLv2+
|
||||
@ -26,6 +26,10 @@ Source0: gst-plugins-good-%{version}.tar.xz
|
||||
%else
|
||||
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
|
||||
%endif
|
||||
Patch1: 0001-flxdec-add-some-write-bounds-checking.patch
|
||||
Patch2: 0002-flxdec-fix-some-warnings-comparing-unsigned-0.patch
|
||||
Patch3: 0003-flxdec-Don-t-unref-parent-in-the-chain-function.patch
|
||||
Patch4: 0004-flxdec-rewrite-logic-based-on-GstByteReader-Writer.patch
|
||||
|
||||
BuildRequires: gstreamer1-devel >= %{version}
|
||||
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
|
||||
@ -98,6 +102,10 @@ to be installed.
|
||||
|
||||
%prep
|
||||
%setup -q -n gst-plugins-good-%{version}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||
@ -269,6 +277,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Nov 28 2016 Wim Taymans <wtaymans@redhat.com> - 1.10.1-2
|
||||
- Add fix for gstreamer FLIC decoder vulnerability
|
||||
|
||||
* Mon Nov 28 2016 Wim Taymans <wtaymans@redhat.com> - 1.10.1-1
|
||||
- Update to 1.10.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user