mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-11-29 05:01:23 +00:00
mxfdemux: Check number of channels for AES3 audio
Only up to 8 channels are allowed and using a higher number would cause integer overflows when copying the data, and lead to out of bound writes. Also check that each buffer is at least 4 bytes long to avoid another overflow. Fixes ZDI-CAN-21661, CVE-2023-40475 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
This commit is contained in:
parent
ce17e968e4
commit
72742dee30
1 changed files with 2 additions and 1 deletions
|
@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
||||||
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
||||||
|
|
||||||
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
|
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
|
||||||
if ((map.size - 4) % 32 != 0) {
|
if (map.size < 4 || (map.size - 4) % 32 != 0) {
|
||||||
gst_buffer_unmap (buffer, &map);
|
gst_buffer_unmap (buffer, &map);
|
||||||
GST_ERROR ("Invalid D10 sound essence buffer size");
|
GST_ERROR ("Invalid D10 sound essence buffer size");
|
||||||
return GST_FLOW_ERROR;
|
return GST_FLOW_ERROR;
|
||||||
|
@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
|
||||||
GstAudioFormat audio_format;
|
GstAudioFormat audio_format;
|
||||||
|
|
||||||
if (s->channel_count == 0 ||
|
if (s->channel_count == 0 ||
|
||||||
|
s->channel_count > 8 ||
|
||||||
s->quantization_bits == 0 ||
|
s->quantization_bits == 0 ||
|
||||||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
|
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
|
||||||
GST_ERROR ("Invalid descriptor");
|
GST_ERROR ("Invalid descriptor");
|
||||||
|
|
Loading…
Reference in a new issue