mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2025-01-12 18:35:35 +00:00
matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then results in allocating a very small buffer. Into that buffer blocksize data is memcpy'd later which then causes out of bound writes and can potentially lead to anything from crashes to remote code execution. Thanks to Adam Doupe for analyzing and reporting the issue. CVE: CVE-2022-1920 https://gstreamer.freedesktop.org/security/sa-2022-0004.html Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2613>
This commit is contained in:
parent
92b5eb1da3
commit
0df0dd7fe3
1 changed files with 9 additions and 1 deletions
|
@ -3932,7 +3932,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
} else {
|
} else {
|
||||||
guint8 *outdata = NULL;
|
guint8 *outdata = NULL;
|
||||||
gsize buf_size, size;
|
gsize buf_size, size;
|
||||||
guint32 block_samples, flags, crc, blocksize;
|
guint32 block_samples, flags, crc;
|
||||||
|
gsize blocksize;
|
||||||
GstAdapter *adapter;
|
GstAdapter *adapter;
|
||||||
|
|
||||||
adapter = gst_adapter_new ();
|
adapter = gst_adapter_new ();
|
||||||
|
@ -3973,6 +3974,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
return GST_FLOW_ERROR;
|
return GST_FLOW_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
|
||||||
|
GST_ERROR_OBJECT (element, "Too big wavpack buffer");
|
||||||
|
gst_buffer_unmap (*buf, &map);
|
||||||
|
g_object_unref (adapter);
|
||||||
|
return GST_FLOW_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
g_assert (newbuf == NULL);
|
g_assert (newbuf == NULL);
|
||||||
|
|
||||||
newbuf =
|
newbuf =
|
||||||
|
|
Loading…
Reference in a new issue