56 lines
1.8 KiB
Diff
56 lines
1.8 KiB
Diff
From 24267889a717e1e799037a0f1841d5416eb56e75 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Mon, 30 May 2022 10:15:37 +0300
|
|
Subject: [PATCH 3/4] qtdemux: Fix integer overflows in zlib decompression code
|
|
|
|
Various variables were of smaller types than needed and there were no
|
|
checks for any overflows when doing additions on the sizes. This is all
|
|
checked now.
|
|
|
|
In addition the size of the decompressed data is limited to 200MB now as
|
|
any larger sizes are likely pathological and we can avoid out of memory
|
|
situations in many cases like this.
|
|
|
|
Also fix a bug where the available output size on the next iteration in
|
|
the zlib decompression code was provided too large and could
|
|
potentially lead to out of bound writes.
|
|
|
|
Thanks to Adam Doupe for analyzing and reporting the issue.
|
|
|
|
CVE: tbd
|
|
|
|
https://gstreamer.freedesktop.org/security/sa-2022-0003.html
|
|
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
|
|
---
|
|
gst/isomp4/qtdemux.c | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
|
index 182d0bc06f..a9cbbd4cd3 100644
|
|
--- a/gst/isomp4/qtdemux.c
|
|
+++ b/gst/isomp4/qtdemux.c
|
|
@@ -7611,10 +7611,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
|
|
break;
|
|
}
|
|
|
|
+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
|
|
+ GST_WARNING ("too big decompressed data");
|
|
+ ret = Z_MEM_ERROR;
|
|
+ break;
|
|
+ }
|
|
+
|
|
*length += 4096;
|
|
buffer = (guint8 *) g_realloc (buffer, *length);
|
|
z.next_out = (Bytef *) (buffer + z.total_out);
|
|
- z.avail_out += 4096;
|
|
+ z.avail_out += *length - z.total_out;
|
|
} while (z.avail_in > 0);
|
|
|
|
if (ret != Z_STREAM_END) {
|
|
--
|
|
2.38.1
|
|
|