From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Tue, 13 Jun 2023 13:20:16 +0300 Subject: [PATCH] flacparse: Avoid integer overflow in available data check for image tags If the image length as stored in the file is some bogus integer then adding it to the current byte readers position can overflow and wrongly have the check for enough available data succeed. This then later can cause NULL pointer dereferences or out of bounds reads/writes when actually reading the image data. Fixes ZDI-CAN-20775 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661 Part-of: --- gst/audioparsers/gstflacparse.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c index 2758d4cfc..cd5a48bee 100644 --- a/gst/audioparsers/gstflacparse.c +++ b/gst/audioparsers/gstflacparse.c @@ -1109,6 +1109,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) GstMapInfo map; guint32 img_len = 0, img_type = 0; guint32 img_mimetype_len = 0, img_description_len = 0; + const guint8 *img_data; gst_buffer_map (buffer, &map, GST_MAP_READ); gst_byte_reader_init (&reader, map.data, map.size); @@ -1135,7 +1136,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) if (!gst_byte_reader_get_uint32_be (&reader, &img_len)) goto error; - if (gst_byte_reader_get_pos (&reader) + img_len > map.size) + if (!gst_byte_reader_get_data (&reader, img_len, &img_data)) goto error; GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len); @@ -1144,8 +1145,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer) if (flacparse->tags == NULL) flacparse->tags = gst_tag_list_new_empty (); - gst_tag_list_add_id3_image (flacparse->tags, - map.data + gst_byte_reader_get_pos (&reader), img_len, img_type); + gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type); } gst_buffer_unmap (buffer, &map); -- 2.43.0