mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2025-01-01 21:18:52 +00:00
flacparse: fix buffer overflow in gst_flac_parse_frame_is_valid
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6835>
This commit is contained in:
parent
7b547e044c
commit
1c5e1798b6
1 changed files with 11 additions and 10 deletions
|
@ -652,13 +652,15 @@ static gboolean
|
||||||
gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
|
gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
|
||||||
const guint8 * data, gsize size, guint * ret)
|
const guint8 * data, gsize size, guint * ret)
|
||||||
{
|
{
|
||||||
guint max, remaining;
|
guint max;
|
||||||
guint i, search_start, search_end;
|
guint i, search_start, search_end;
|
||||||
FrameHeaderCheckReturn header_ret;
|
FrameHeaderCheckReturn header_ret;
|
||||||
guint16 block_size;
|
guint16 block_size;
|
||||||
gboolean suspect_start = FALSE, suspect_end = FALSE;
|
gboolean suspect_start = FALSE, suspect_end = FALSE;
|
||||||
|
|
||||||
if (size < flacparse->min_framesize)
|
/* minimum frame header size is 5 bytes and we read that much
|
||||||
|
* without checking the size below */
|
||||||
|
if (size < MAX (flacparse->min_framesize, 5))
|
||||||
goto need_more;
|
goto need_more;
|
||||||
|
|
||||||
header_ret =
|
header_ret =
|
||||||
|
@ -673,15 +675,14 @@ gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
|
||||||
|
|
||||||
/* mind unknown framesize */
|
/* mind unknown framesize */
|
||||||
search_start = MAX (2, flacparse->min_framesize);
|
search_start = MAX (2, flacparse->min_framesize);
|
||||||
|
|
||||||
|
/* at minimum 5 bytes are read below so stop 5 bytes before the end.
|
||||||
|
* we also checked above that at least 5 bytes are available. */
|
||||||
|
search_end = size - 5;
|
||||||
if (flacparse->max_framesize)
|
if (flacparse->max_framesize)
|
||||||
search_end = MIN (size, flacparse->max_framesize + 9 + 2);
|
search_end = MIN (search_end, flacparse->max_framesize + 9 + 2);
|
||||||
else
|
|
||||||
search_end = size;
|
|
||||||
search_end -= 2;
|
|
||||||
|
|
||||||
remaining = size;
|
for (i = search_start; i < search_end; i++) {
|
||||||
|
|
||||||
for (i = search_start; i < search_end; i++, remaining--) {
|
|
||||||
|
|
||||||
if ((GST_READ_UINT16_BE (data + i) & 0xfffe) != 0xfff8)
|
if ((GST_READ_UINT16_BE (data + i) & 0xfffe) != 0xfff8)
|
||||||
continue;
|
continue;
|
||||||
|
@ -690,7 +691,7 @@ gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
|
||||||
suspect_end = FALSE;
|
suspect_end = FALSE;
|
||||||
header_ret =
|
header_ret =
|
||||||
gst_flac_parse_frame_header_is_valid (flacparse, data + i,
|
gst_flac_parse_frame_header_is_valid (flacparse, data + i,
|
||||||
remaining, FALSE, NULL, &suspect_end);
|
size - i, FALSE, NULL, &suspect_end);
|
||||||
if (header_ret == FRAME_HEADER_VALID) {
|
if (header_ret == FRAME_HEADER_VALID) {
|
||||||
if (flacparse->check_frame_checksums || suspect_start || suspect_end) {
|
if (flacparse->check_frame_checksums || suspect_start || suspect_end) {
|
||||||
guint16 actual_crc = gst_flac_calculate_crc16 (data, i - 2);
|
guint16 actual_crc = gst_flac_calculate_crc16 (data, i - 2);
|
||||||
|
|
Loading…
Reference in a new issue