qtdemux: Fix integer overflows in zlib decompression code

Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.

In addition the size of the decompressed data is limited to 200MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.

Also fix a bug where the available output size on the next iteration in
the zlib decompression code was provided too large and could
potentially lead to out of bound writes.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: tbd

https://gstreamer.freedesktop.org/security/sa-2022-0003.html

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
This commit is contained in:
Sebastian Dröge 2022-05-30 10:15:37 +03:00 committed by GStreamer Marge Bot
parent ad6012159a
commit 14d306da6d

View file

@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
break; break;
} }
if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
GST_WARNING ("too big decompressed data");
ret = Z_MEM_ERROR;
break;
}
*length += 4096; *length += 4096;
buffer = (guint8 *) g_realloc (buffer, *length); buffer = (guint8 *) g_realloc (buffer, *length);
z.next_out = (Bytef *) (buffer + z.total_out); z.next_out = (Bytef *) (buffer + z.total_out);
z.avail_out += 4096; z.avail_out += *length - z.total_out;
} while (z.avail_in > 0); } while (z.avail_in > 0);
if (ret != Z_STREAM_END) { if (ret != Z_STREAM_END) {