mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2025-01-23 23:58:17 +00:00
Code Issues 1 Projects Releases Wiki Activity

srtpdec: Fix a use-after-free buffer issue

Browse source 
The gst_srtp_dec_decode_buffer() function modifies the input buffer after making
it writable, so the pointer might change as well, depending on the refcount of
the buffer.

This issue was detected using a netsim element upstream of the decoder in a
WebRTC pipeline.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8198>
This commit is contained in:
Philippe Normand 2024-12-22 15:00:07 +01:00
parent 04c6727fcd
commit 7152d5c07a
1 changed files with 12 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
subprojects/gst-plugins-bad/ext/srtp/gstsrtpdec.c
View file

@ -1339,10 +1339,11 @@ err:
} }
/* /*
* This function should be called while holding the filter lock * This function should be called while holding the filter lock.
* The decoded buffer is stored in-place of the input @buf.
*/ */
static gboolean static gboolean
gst_srtp_dec_decode_buffer (GstSrtpDec * filter, GstPad * pad, GstBuffer * buf, gst_srtp_dec_decode_buffer (GstSrtpDec * filter, GstPad * pad, GstBuffer ** buf,
gboolean is_rtcp, guint32 ssrc) gboolean is_rtcp, guint32 ssrc)
{ {
GstMapInfo map; GstMapInfo map;
@ -1350,14 +1351,16 @@ gst_srtp_dec_decode_buffer (GstSrtpDec * filter, GstPad * pad, GstBuffer * buf,
gint size; gint size;
GstSrtpDecSsrcStream *stream; GstSrtpDecSsrcStream *stream;
g_return_val_if_fail (GST_IS_BUFFER (*buf), FALSE);
GST_LOG_OBJECT (pad, "Received %s buffer of size %" G_GSIZE_FORMAT GST_LOG_OBJECT (pad, "Received %s buffer of size %" G_GSIZE_FORMAT
" with SSRC = %u", is_rtcp ? "RTCP" : "RTP", gst_buffer_get_size (buf), " with SSRC = %u", is_rtcp ? "RTCP" : "RTP", gst_buffer_get_size (*buf),
ssrc); ssrc);
filter->recv_count++; filter->recv_count++;
/* Change buffer to remove protection */ /* Change buffer to remove protection */
buf = gst_buffer_make_writable (buf); *buf = gst_buffer_make_writable (*buf);
gst_buffer_map (buf, &map, GST_MAP_READWRITE); gst_buffer_map (*buf, &map, GST_MAP_READWRITE);
size = map.size; size = map.size;
unprotect: unprotect:
@ -1463,13 +1466,13 @@ unprotect:
stream->recv_drop_count++; stream->recv_drop_count++;
goto err; goto err;
} }
gst_buffer_unmap (buf, &map); gst_buffer_unmap (*buf, &map);
gst_buffer_set_size (buf, size); gst_buffer_set_size (*buf, size);
return TRUE; return TRUE;
err: err:
filter->recv_drop_count++; filter->recv_drop_count++;
gst_buffer_unmap (buf, &map); gst_buffer_unmap (*buf, &map);
return FALSE; return FALSE;
} }
@ -1498,7 +1501,7 @@ gst_srtp_dec_chain (GstPad * pad, GstObject * parent, GstBuffer * buf,
goto push_out; goto push_out;
} }
if (!gst_srtp_dec_decode_buffer (filter, pad, buf, is_rtcp, ssrc)) { if (!gst_srtp_dec_decode_buffer (filter, pad, &buf, is_rtcp, ssrc)) {
GST_OBJECT_UNLOCK (filter); GST_OBJECT_UNLOCK (filter);
goto drop_buffer; goto drop_buffer;
} }