mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-12-19 14:56:36 +00:00
Code Issues 1 Projects Releases Wiki Activity

qtdemux: Fix error handling when parsing cenc sample groups fails

Browse source 
Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
This commit is contained in:
Sebastian Dröge 2024-09-27 09:47:50 +03:00 committed by GStreamer Marge Bot
parent 98f3934c48
commit 4a0e8bf92b
1 changed files with 19 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
View file

@ -3834,7 +3834,7 @@ qtdemux_get_cenc_sample_properties (GstQTDemux * qtdemux,
static gboolean static gboolean
qtdemux_parse_sbgp (GstQTDemux * qtdemux, QtDemuxStream * stream, qtdemux_parse_sbgp (GstQTDemux * qtdemux, QtDemuxStream * stream,
GstByteReader * br, guint32 group, GPtrArray ** sample_to_group_array, GstByteReader * br, guint32 group, GPtrArray ** sample_to_group_array,
GstStructure * default_properties, GPtrArray * tack_properties_array, GstStructure * default_properties, GPtrArray * track_properties_array,
GPtrArray * group_properties_array) GPtrArray * group_properties_array)
{ {
guint32 flags = 0; guint32 flags = 0;
@ -3893,15 +3893,15 @@ qtdemux_parse_sbgp (GstQTDemux * qtdemux, QtDemuxStream * stream,
if (index > 0x10000) { if (index > 0x10000) {
/* Index is referring the current fragment. */ /* Index is referring the current fragment. */
index -= 0x10001; index -= 0x10001;
if (index < group_properties_array->len) if (group_properties_array && index < group_properties_array->len)
properties = g_ptr_array_index (group_properties_array, index); properties = g_ptr_array_index (group_properties_array, index);
else else
GST_ERROR_OBJECT (qtdemux, "invalid group index %u", index); GST_ERROR_OBJECT (qtdemux, "invalid group index %u", index);
} else if (index > 0) { } else if (index > 0) {
/* Index is referring to the whole track. */ /* Index is referring to the whole track. */
index--; index--;
if (index < tack_properties_array->len) if (track_properties_array && index < track_properties_array->len)
properties = g_ptr_array_index (tack_properties_array, index); properties = g_ptr_array_index (track_properties_array, index);
else else
GST_ERROR_OBJECT (qtdemux, "invalid group index %u", index); GST_ERROR_OBJECT (qtdemux, "invalid group index %u", index);
} else { } else {
@ -4452,6 +4452,11 @@ qtdemux_parse_moof (GstQTDemux * qtdemux, const guint8 * buffer, guint length,
GNode *sgpd_node; GNode *sgpd_node;
GstByteReader sgpd_data; GstByteReader sgpd_data;
if (!info) {
GST_ERROR_OBJECT (qtdemux, "Have no valid protection scheme info");
goto fail;
}
if (info->fragment_group_properties) { if (info->fragment_group_properties) {
g_ptr_array_free (info->fragment_group_properties, TRUE); g_ptr_array_free (info->fragment_group_properties, TRUE);
info->fragment_group_properties = NULL; info->fragment_group_properties = NULL;
@ -11965,12 +11970,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
if (stream->subtype != FOURCC_soun) { if (stream->subtype != FOURCC_soun) {
GST_ERROR_OBJECT (qtdemux, GST_ERROR_OBJECT (qtdemux,
"Unexpeced stsd type 'aavd' outside 'soun' track"); "Unexpeced stsd type 'aavd' outside 'soun' track");
goto corrupt_file;
} else { } else {
/* encrypted audio with sound sample description v0 */ /* encrypted audio with sound sample description v0 */
GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc);
stream->protected = TRUE; stream->protected = TRUE;
if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) {
GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info");
goto corrupt_file;
}
} }
} }
@ -11979,8 +11987,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
* with the same type */ * with the same type */
GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc);
stream->protected = TRUE; stream->protected = TRUE;
if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) {
GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info");
goto corrupt_file;
}
} }
if (stream->subtype == FOURCC_vide) { if (stream->subtype == FOURCC_vide) {
@ -14078,6 +14088,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
GNode *sgpd_node; GNode *sgpd_node;
GstByteReader sgpd_data; GstByteReader sgpd_data;
if (!info)
goto corrupt_file;
if (info->track_group_properties) { if (info->track_group_properties) {
g_ptr_array_free (info->fragment_group_properties, TRUE); g_ptr_array_free (info->fragment_group_properties, TRUE);
info->fragment_group_properties = NULL; info->fragment_group_properties = NULL;