mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-11-19 16:21:17 +00:00
qtdemux: Fix integer overflows in zlib decompression code
Various variables were of smaller types than needed and there were no checks for any overflows when doing additions on the sizes. This is all checked now. In addition the size of the decompressed data is limited to 200MB now as any larger sizes are likely pathological and we can avoid out of memory situations in many cases like this. Also fix a bug where the available output size on the next iteration in the zlib decompression code was provided too large and could potentially lead to out of bound writes. Thanks to Adam Doupe for analyzing and reporting the issue. CVE: tbd https://gstreamer.freedesktop.org/security/sa-2022-0003.html Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
This commit is contained in:
Sebastian Dröge
GStreamer Marge Bot
parent
ad6012159a
commit
14d306da6d
1 changed files with 7 additions and 1 deletions
|
|
@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
|
||||||
|
GST_WARNING ("too big decompressed data");
|
||||||
|
ret = Z_MEM_ERROR;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
*length += 4096;
|
*length += 4096;
|
||||||
buffer = (guint8 *) g_realloc (buffer, *length);
|
buffer = (guint8 *) g_realloc (buffer, *length);
|
||||||
z.next_out = (Bytef *) (buffer + z.total_out);
|
z.next_out = (Bytef *) (buffer + z.total_out);
|
||||||
z.avail_out += 4096;
|
z.avail_out += *length - z.total_out;
|
||||||
} while (z.avail_in > 0);
|
} while (z.avail_in > 0);
|
||||||
|
|
||||||
if (ret != Z_STREAM_END) {
|
if (ret != Z_STREAM_END) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue