mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2025-02-20 13:06:23 +00:00
vorbistag: Protect memory allocation calculation from overflow.
Patch by: Tomas Hoger <thoger@redhat.com> Fixes CVE-2009-0586
This commit is contained in:
Jan Schmidt
parent
02339d2d4c
commit
566583e871
1 changed files with 14 additions and 19 deletions
|
|
@ -305,30 +305,32 @@ gst_vorbis_tag_add (GstTagList * list, const gchar * tag, const gchar * value)
|
|||
}
|
||||
|
||||
static void
|
||||
gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
|
||||
gst_vorbis_tag_add_coverart (GstTagList * tags, gchar * img_data_base64,
|
||||
gint base64_len)
|
||||
{
|
||||
GstBuffer *img;
|
||||
guchar *img_data;
|
||||
gsize img_len;
|
||||
guchar *out;
|
||||
guint save = 0;
|
||||
gint state = 0;
|
||||
|
||||
if (base64_len < 2)
|
||||
goto not_enough_data;
|
||||
|
||||
img_data = g_try_malloc0 (base64_len * 3 / 4);
|
||||
|
||||
if (img_data == NULL)
|
||||
goto alloc_failed;
|
||||
|
||||
img_len = g_base64_decode_step (img_data_base64, base64_len, img_data,
|
||||
&state, &save);
|
||||
/* img_data_base64 points to a temporary copy of the base64 encoded data, so
|
||||
* it's safe to do inpace decoding here
|
||||
* TODO: glib 2.20 and later provides g_base64_decode_inplace, so change this
|
||||
* to use glib's API instead once it's in wider use:
|
||||
* http://bugzilla.gnome.org/show_bug.cgi?id=564728
|
||||
* http://svn.gnome.org/viewvc/glib?view=revision&revision=7807 */
|
||||
out = (guchar *) img_data_base64;
|
||||
img_len = g_base64_decode_step (img_data_base64, base64_len,
|
||||
out, &state, &save);
|
||||
|
||||
if (img_len == 0)
|
||||
goto decode_failed;
|
||||
|
||||
img = gst_tag_image_data_to_image_buffer (img_data, img_len,
|
||||
img = gst_tag_image_data_to_image_buffer (out, img_len,
|
||||
GST_TAG_IMAGE_TYPE_NONE);
|
||||
|
||||
if (img == NULL)
|
||||
|
|
@ -338,7 +340,6 @@ gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
|
|||
GST_TAG_PREVIEW_IMAGE, img, NULL);
|
||||
|
||||
gst_buffer_unref (img);
|
||||
g_free (img_data);
|
||||
return;
|
||||
|
||||
/* ERRORS */
|
||||
|
|
@ -347,21 +348,14 @@ not_enough_data:
|
|||
GST_WARNING ("COVERART tag with too little base64-encoded data");
|
||||
return;
|
||||
}
|
||||
alloc_failed:
|
||||
{
|
||||
GST_WARNING ("Couldn't allocate enough memory to decode COVERART tag");
|
||||
return;
|
||||
}
|
||||
decode_failed:
|
||||
{
|
||||
GST_WARNING ("Couldn't decode bas64 image data from COVERART tag");
|
||||
g_free (img_data);
|
||||
GST_WARNING ("Couldn't decode base64 image data from COVERART tag");
|
||||
return;
|
||||
}
|
||||
convert_failed:
|
||||
{
|
||||
GST_WARNING ("Couldn't extract image or image type from COVERART tag");
|
||||
g_free (img_data);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
|
@ -457,6 +451,7 @@ error:
|
|||
return NULL;
|
||||
#undef ADVANCE
|
||||
}
|
||||
|
||||
typedef struct
|
||||
{
|
||||
guint count;
|
||||
|
|
|
|||
Loading…
Reference in a new issue