rpms/gstreamer1-plugins-good
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
gstreamer1-plugins-good/0003-flacparse-Avoid-integer-overflow-in-available-data-c.patch
Wim Taymans 938fd253a8 CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606, 
CVE-2024-47613
  Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022
  Resolves: RHEL-70998
2024-12-16 16:13:39 +01:00

56 lines
2.2 KiB
Diff
Raw Permalink Blame History

From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH 3/9] flacparse: Avoid integer overflow in available data check
for image tags
If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly
have the check for enough available data succeed.
This then later can cause NULL pointer dereferences or out of bounds
reads/writes when actually reading the image data.
Fixes ZDI-CAN-20775
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
---
gst/audioparsers/gstflacparse.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
index 2758d4cfc..cd5a48bee 100644
--- a/gst/audioparsers/gstflacparse.c
+++ b/gst/audioparsers/gstflacparse.c
@@ -1109,6 +1109,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
GstMapInfo map;
guint32 img_len = 0, img_type = 0;
guint32 img_mimetype_len = 0, img_description_len = 0;
+ const guint8 *img_data;
gst_buffer_map (buffer, &map, GST_MAP_READ);
gst_byte_reader_init (&reader, map.data, map.size);
@@ -1135,7 +1136,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
goto error;
- if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
+ if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
goto error;
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
@@ -1144,8 +1145,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (flacparse->tags == NULL)
flacparse->tags = gst_tag_list_new_empty ();
- gst_tag_list_add_id3_image (flacparse->tags,
- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
+ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
}
gst_buffer_unmap (buffer, &map);
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink