mxfdemux: Check number of channels for AES3 audio

Only up to 8 channels are allowed and using a higher number would cause
integer overflows when copying the data, and lead to out of bound
writes.

Also check that each buffer is at least 4 bytes long to avoid another
overflow.

Fixes ZDI-CAN-21661, CVE-2023-40475

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
This commit is contained in:
Sebastian Dröge 2023-08-10 15:47:03 +03:00 committed by GStreamer Marge Bot
parent ce17e968e4
commit 72742dee30

View file

@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ); gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */ /* Now transform raw AES3 into raw audio, see SMPTE 331M */
if ((map.size - 4) % 32 != 0) { if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map); gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size"); GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR; return GST_FLOW_ERROR;
@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format; GstAudioFormat audio_format;
if (s->channel_count == 0 || if (s->channel_count == 0 ||
s->channel_count > 8 ||
s->quantization_bits == 0 || s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor"); GST_ERROR ("Invalid descriptor");