mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2025-04-23 09:04:15 +00:00
Code Issues 1 Projects Releases Wiki Activity

vorbistag: Protect memory allocation calculation from overflow.

Browse source 
Patch by: Tomas Hoger <thoger@redhat.com> Fixes CVE-2009-0586
This commit is contained in:
Jan Schmidt 2009-02-24 15:58:42 +00:00
parent 02339d2d4c
commit 566583e871
1 changed files with 14 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
gst-libs/gst/tag/gstvorbistag.c
View file

@ -305,30 +305,32 @@ gst_vorbis_tag_add (GstTagList * list, const gchar * tag, const gchar * value)
} }
static void static void
gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64, gst_vorbis_tag_add_coverart (GstTagList * tags, gchar * img_data_base64,
gint base64_len) gint base64_len)
{ {
GstBuffer *img; GstBuffer *img;
guchar *img_data;
gsize img_len; gsize img_len;
guchar *out;
guint save = 0; guint save = 0;
gint state = 0; gint state = 0;
if (base64_len < 2) if (base64_len < 2)
goto not_enough_data; goto not_enough_data;
img_data = g_try_malloc0 (base64_len * 3 / 4); /* img_data_base64 points to a temporary copy of the base64 encoded data, so
* it's safe to do inpace decoding here
if (img_data == NULL) * TODO: glib 2.20 and later provides g_base64_decode_inplace, so change this
goto alloc_failed; * to use glib's API instead once it's in wider use:
* http://bugzilla.gnome.org/show_bug.cgi?id=564728
img_len = g_base64_decode_step (img_data_base64, base64_len, img_data, * http://svn.gnome.org/viewvc/glib?view=revision&revision=7807 */
&state, &save); out = (guchar *) img_data_base64;
img_len = g_base64_decode_step (img_data_base64, base64_len,
out, &state, &save);
if (img_len == 0) if (img_len == 0)
goto decode_failed; goto decode_failed;
img = gst_tag_image_data_to_image_buffer (img_data, img_len, img = gst_tag_image_data_to_image_buffer (out, img_len,
GST_TAG_IMAGE_TYPE_NONE); GST_TAG_IMAGE_TYPE_NONE);
if (img == NULL) if (img == NULL)
@ -338,7 +340,6 @@ gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64,
GST_TAG_PREVIEW_IMAGE, img, NULL); GST_TAG_PREVIEW_IMAGE, img, NULL);
gst_buffer_unref (img); gst_buffer_unref (img);
g_free (img_data);
return; return;
/* ERRORS */ /* ERRORS */
@ -347,21 +348,14 @@ not_enough_data:
GST_WARNING ("COVERART tag with too little base64-encoded data"); GST_WARNING ("COVERART tag with too little base64-encoded data");
return; return;
} }
alloc_failed:
{
GST_WARNING ("Couldn't allocate enough memory to decode COVERART tag");
return;
}
decode_failed: decode_failed:
{ {
GST_WARNING ("Couldn't decode bas64 image data from COVERART tag"); GST_WARNING ("Couldn't decode base64 image data from COVERART tag");
g_free (img_data);
return; return;
} }
convert_failed: convert_failed:
{ {
GST_WARNING ("Couldn't extract image or image type from COVERART tag"); GST_WARNING ("Couldn't extract image or image type from COVERART tag");
g_free (img_data);
return; return;
} }
} }
@ -457,6 +451,7 @@ error:
return NULL; return NULL;
#undef ADVANCE #undef ADVANCE
} }
typedef struct typedef struct
{ {
guint count; guint count;