mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2025-02-17 11:45:25 +00:00
Code Issues 1 Projects Releases Wiki Activity

riff: error out on nonsensical chunk sizes instead of aborting

Browse source 
When encountering a nonsensical chunk size such as (guint)-1, error out cleanly instead of
continuing and trying to g_memdup() 4GB of data that doesn't exist, which will either abort
in g_malloc() or crash.

Fixes #553295, crash with fuzzed AVI file.
This commit is contained in:
Tim-Philipp Müller 2009-02-11 16:39:55 +00:00
parent 2a89ee9dd3
commit 1fedfec220
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
gst-libs/gst/riff/riff-read.c
View file

@ -153,6 +153,10 @@ gst_riff_parse_chunk (GstElement * element, GstBuffer * buf,
GST_DEBUG_OBJECT (element, "fourcc=%" GST_FOURCC_FORMAT ", size=%u", GST_DEBUG_OBJECT (element, "fourcc=%" GST_FOURCC_FORMAT ", size=%u",
GST_FOURCC_ARGS (fourcc), size); GST_FOURCC_ARGS (fourcc), size);
/* be paranoid: size may be nonsensical value here, such as (guint) -1 */
if (G_UNLIKELY (size > G_MAXINT))
goto bogus_size;
if (bufsize < size + 8 + offset) { if (bufsize < size + 8 + offset) {
GST_DEBUG_OBJECT (element, GST_DEBUG_OBJECT (element,
"Needed chunk data (%d) is more than available (%d), shortcutting", "Needed chunk data (%d) is more than available (%d), shortcutting",
@ -183,6 +187,11 @@ too_small:
offset, bufsize, 8); offset, bufsize, 8);
return FALSE; return FALSE;
} }
bogus_size:
{
GST_ERROR_OBJECT (element, "Broken file: bogus chunk size %u", size);
return FALSE;
}
} }
/** /**