wavparse: Fix clipping of size to the file size

The size does not include the 8 bytes tag and length, so an additional 8 bytes must be removed here. 8 bytes are always available at this point because otherwise the parsing of the tag and length right above would've failed. Thanks to Antonio Morales for finding and reporting the issue. Fixes GHSL-2024-260 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
2024-12-18 14:26:43 +00:00 · 2024-10-04 13:27:27 +03:00 · 2024-10-04 13:27:27 +03:00 · 526d0eef0d
commit 526d0eef0d
parent 93d79c22a8
1 changed files with 3 additions and 2 deletions
--- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav)
    }

    /* Clip to upstream size if known */
-    if (upstream_size > 0 && size + wav->offset > upstream_size) {
+    if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
      GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
      g_assert (upstream_size >= wav->offset);
-      size = upstream_size - wav->offset;
+      g_assert (upstream_size - wav->offset >= 8);
+      size = upstream_size - wav->offset - 8;
    }

    /* wav is a st00pid format, we don't know for sure where data starts.