rpms/gstreamer1-plugins-good
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
gstreamer1-plugins-good/0021-qtdemux-Make-sure-enough-data-is-available-before-re.patch
Wim Taymans 7375f9916a Apply patches for CVE-2024-47537, CVE-2024-47539, CVE-2024-47540 
CVE-2024-47543, CVE-2024-47544, CVE-2024-47545, CVE-2024-47546,
  CVE-2024-47596, CVE-2024-47597, CVE-2024-47598, CVE-2024-47599,
  CVE-2024-47601, CVE-2024-47602, CVE-2024-47603, CVE-2024-47606,
  CVE-2024-47613, CVE-2024-47774, CVE-2024-47775, CVE-2024-47776,
  CVE-2024-47777, CVE-2024-47778, CVE-2024-47834
Resolves: RHEL-70958, RHEL-70971, RHEL-71033, RHEL-71195
Resolves: RHEL-71210, RHEL-71202, RHEL-71171, RHEL-71200
Resolves: RHEL-71206, RHEL-71173, RHEL-71198, RHEL-71204
Resolves: RHEL-71208, RHEL-71031, RHEL-71007, RHEL-71039
Resolves: RHEL-71169, RHEL-71192, RHEL-71161, RHEL-71167
Resolves: RHEL-71189
2024-12-13 17:30:57 +01:00

117 lines
4.6 KiB
Diff
Raw Permalink Blame History

From 834425d90b25933356fc3ad05135989162a0f356 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 14:17:02 +0300
Subject: [PATCH 21/28] qtdemux: Make sure enough data is available before
reading wave header node
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-236
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
.../gst-plugins-good/gst/isomp4/qtdemux.c | 84 ++++++++++---------
1 file changed, 45 insertions(+), 39 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index 1e95f5b5f2..f8fbc6395c 100644
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -13120,47 +13120,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
} else {
guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16);
const guint8 *data = stsd_entry_data + offset + 16;
- GNode *wavenode;
- GNode *waveheadernode;
-
- wavenode = g_node_new ((guint8 *) data);
- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
- const guint8 *waveheader;
- guint32 headerlen;
-
- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc);
- if (waveheadernode) {
- waveheader = (const guint8 *) waveheadernode->data;
- headerlen = QT_UINT32 (waveheader);
-
- if (headerlen > 8) {
- gst_riff_strf_auds *header = NULL;
- GstBuffer *headerbuf;
- GstBuffer *extra;
-
- waveheader += 8;
- headerlen -= 8;
-
- headerbuf = gst_buffer_new_and_alloc (headerlen);
- gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
-
- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
- headerbuf, &header, &extra)) {
- gst_caps_unref (entry->caps);
- /* FIXME: Need to do something with the channel reorder map */
- entry->caps =
- gst_riff_create_audio_caps (header->format, NULL, header,
- extra, NULL, NULL, NULL);
-
- if (extra)
- gst_buffer_unref (extra);
- g_free (header);
+
+ if (len < datalen || len - datalen < offset + 16) {
+ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode");
+ } else {
+ GNode *wavenode;
+ GNode *waveheadernode;
+
+ wavenode = g_node_new ((guint8 *) data);
+ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
+ const guint8 *waveheader;
+ guint32 headerlen;
+
+ waveheadernode =
+ qtdemux_tree_get_child_by_type (wavenode, fourcc);
+ if (waveheadernode) {
+ waveheader = (const guint8 *) waveheadernode->data;
+ headerlen = QT_UINT32 (waveheader);
+
+ if (headerlen > 8) {
+ gst_riff_strf_auds *header = NULL;
+ GstBuffer *headerbuf;
+ GstBuffer *extra;
+
+ waveheader += 8;
+ headerlen -= 8;
+
+ headerbuf = gst_buffer_new_and_alloc (headerlen);
+ gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
+
+ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
+ headerbuf, &header, &extra)) {
+ gst_caps_unref (entry->caps);
+ /* FIXME: Need to do something with the channel reorder map */
+ entry->caps =
+ gst_riff_create_audio_caps (header->format, NULL,
+ header, extra, NULL, NULL, NULL);
+
+ if (extra)
+ gst_buffer_unref (extra);
+ g_free (header);
+ }
}
- }
- } else
- GST_DEBUG ("Didn't find waveheadernode for this codec");
+ } else
+ GST_DEBUG ("Didn't find waveheadernode for this codec");
+ }
+ g_node_destroy (wavenode);
}
- g_node_destroy (wavenode);
}
} else if (esds) {
gst_qtdemux_handle_esds (qtdemux, stream, entry, esds,
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink