From 3ddb4c6f0e10473e3f917e6a1b8593d4b44dbc13 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jeremy@jcline.org>
Date: Sun, 21 Nov 2021 17:52:48 -0500
Subject: [PATCH] tagdemux: Fix crash when presented with malformed files

There's a race condition in gsttagdemux.c between typefinding and the
end-of-stream event. If TYPE_FIND_MAX_SIZE is exceeded,
demux->priv->collect is set to NULL and an error is returned. However,
the end-of-stream event causes one last attempt at typefinding to occur.

This leads to gst_tag_demux_trim_buffer() being called with the NULL
demux->priv->collect buffer which it attempts to dereference, resulting
in a segfault.

The malicious MP3 can be created by:

printf "\x49\x44\x33\x04\x00\x00\x00\x00\x00\x00%s", \
    "$(dd if=/dev/urandom bs=1K count=200)" > malicious.mp3

This creates a valid ID3 header which gets us as far as typefinding. The
crash can then be reproduced with the following pipeline:

gst-launch-1.0 -e filesrc location=malicious.mp3 ! queue ! decodebin ! audioconvert ! vorbisenc ! oggmux ! filesink location=malicious.ogg

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/967

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/1620>
---
 .../gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c       | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c
index 8164c0d2f3..9f6096e4ae 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c
@@ -655,9 +655,11 @@ gst_tag_demux_chain_buffer (GstTagDemux * demux, GstBuffer * buf,
 
       /* Trim the buffer and adjust offset for typefinding */
       typefind_buf = demux->priv->collect;
-      gst_buffer_ref (typefind_buf);
-      if (!gst_tag_demux_trim_buffer (demux, &typefind_buf, &typefind_size))
-        return GST_FLOW_EOS;
+      if (typefind_buf) {
+        gst_buffer_ref (typefind_buf);
+        if (!gst_tag_demux_trim_buffer (demux, &typefind_buf, &typefind_size))
+          return GST_FLOW_EOS;
+      }
 
       if (typefind_buf == NULL)
         break;                  /* Still need more data */