gstreamer1-plugins-good/0001-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
Wim Taymans 7375f9916a Apply patches for CVE-2024-47537, CVE-2024-47539, CVE-2024-47540
CVE-2024-47543, CVE-2024-47544, CVE-2024-47545, CVE-2024-47546,
  CVE-2024-47596, CVE-2024-47597, CVE-2024-47598, CVE-2024-47599,
  CVE-2024-47601, CVE-2024-47602, CVE-2024-47603, CVE-2024-47606,
  CVE-2024-47613, CVE-2024-47774, CVE-2024-47775, CVE-2024-47776,
  CVE-2024-47777, CVE-2024-47778, CVE-2024-47834
Resolves: RHEL-70958, RHEL-70971, RHEL-71033, RHEL-71195
Resolves: RHEL-71210, RHEL-71202, RHEL-71171, RHEL-71200
Resolves: RHEL-71206, RHEL-71173, RHEL-71198, RHEL-71204
Resolves: RHEL-71208, RHEL-71031, RHEL-71007, RHEL-71039
Resolves: RHEL-71169, RHEL-71192, RHEL-71161, RHEL-71167
Resolves: RHEL-71189
2024-12-13 17:30:57 +01:00

42 lines
1.3 KiB
Diff

From c6f4528710213d4887cbd2bf60eddfe97f1e7529 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 22:16:06 +0300
Subject: [PATCH 01/28] qtdemux: Avoid integer overflow when parsing Theora
extension
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
---
subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index a53d61e649..fcc818c7d7 100644
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -8258,7 +8258,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
end -= 8;
while (buf < end) {
- gint size;
+ guint32 size;
guint32 type;
size = QT_UINT32 (buf);
@@ -8266,7 +8266,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
- if (buf + size > end || size <= 0)
+ if (end - buf < size || size < 8)
break;
buf += 8;
--
2.47.0