mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-06-10 10:09:28 +00:00
Code Issues 1 Projects Releases Wiki Activity

av1parser: Fix potential stack overflow during tile list parsing

Browse source 
The tile_count_minus_1 must be less than or equal to 511 as specified
in spec "6.11.1 General tile list OBU semantics"

Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5971>
This commit is contained in:
Seungha Yang 2024-01-10 03:33:59 +09:00 committed by Tim-Philipp Müller
parent 19d3b14f51
commit 394d5066f8
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
View file

@ -4347,6 +4347,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * parser,
tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16);
if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) {
GST_WARNING ("Invalid tile_count_minus_1 %d",
tile_list->tile_count_minus_1);
retval = GST_AV1_PARSER_BITSTREAM_ERROR;
goto error;
}
for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) {
if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) {
retval = GST_AV1_PARSER_NO_MORE_DATA;