7375f9916a
CVE-2024-47543, CVE-2024-47544, CVE-2024-47545, CVE-2024-47546, CVE-2024-47596, CVE-2024-47597, CVE-2024-47598, CVE-2024-47599, CVE-2024-47601, CVE-2024-47602, CVE-2024-47603, CVE-2024-47606, CVE-2024-47613, CVE-2024-47774, CVE-2024-47775, CVE-2024-47776, CVE-2024-47777, CVE-2024-47778, CVE-2024-47834 Resolves: RHEL-70958, RHEL-70971, RHEL-71033, RHEL-71195 Resolves: RHEL-71210, RHEL-71202, RHEL-71171, RHEL-71200 Resolves: RHEL-71206, RHEL-71173, RHEL-71198, RHEL-71204 Resolves: RHEL-71208, RHEL-71031, RHEL-71007, RHEL-71039 Resolves: RHEL-71169, RHEL-71192, RHEL-71161, RHEL-71167 Resolves: RHEL-71189
42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From c6f4528710213d4887cbd2bf60eddfe97f1e7529 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Thu, 26 Sep 2024 22:16:06 +0300
|
|
Subject: [PATCH 01/28] qtdemux: Avoid integer overflow when parsing Theora
|
|
extension
|
|
|
|
Thanks to Antonio Morales for finding and reporting the issue.
|
|
|
|
Fixes GHSL-2024-166
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
|
|
---
|
|
subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
|
|
index a53d61e649..fcc818c7d7 100644
|
|
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
|
|
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
|
|
@@ -8258,7 +8258,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
|
|
end -= 8;
|
|
|
|
while (buf < end) {
|
|
- gint size;
|
|
+ guint32 size;
|
|
guint32 type;
|
|
|
|
size = QT_UINT32 (buf);
|
|
@@ -8266,7 +8266,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
|
|
|
|
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
|
|
|
|
- if (buf + size > end || size <= 0)
|
|
+ if (end - buf < size || size < 8)
|
|
break;
|
|
|
|
buf += 8;
|
|
--
|
|
2.47.0
|
|
|