From be11a6e26b62f9822fe382d1b6727ddecb30b3af Mon Sep 17 00:00:00 2001
From: Adam Doupe <adamdoupe@gmail.com>
Date: Thu, 19 May 2022 04:16:25 +0000
Subject: [PATCH] smpte: Fix integer overflow with possible heap corruption in
 GstMask creation.

Check that width*height*sizeof(guint32) doesn't overflow when
allocated user_data for mask, potential for heap overwrite when
inverting.

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1231

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2603>
---
 subprojects/gst-plugins-good/gst/smpte/gstmask.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/subprojects/gst-plugins-good/gst/smpte/gstmask.c b/subprojects/gst-plugins-good/gst/smpte/gstmask.c
index 92b591936c..9b00061d50 100644
--- a/subprojects/gst-plugins-good/gst/smpte/gstmask.c
+++ b/subprojects/gst-plugins-good/gst/smpte/gstmask.c
@@ -85,6 +85,13 @@ gst_mask_factory_new (gint type, gboolean invert, gint bpp, gint width,
     mask->height = height;
     mask->destroy_func = definition->destroy_func;
     mask->user_data = definition->user_data;
+
+    if (((guint64) width * (guint64) height * sizeof (guint32)) > G_MAXUINT) {
+      GST_WARNING ("width x height overflows");
+      g_free (mask);
+      return NULL;
+    }
+
     mask->data = g_malloc (width * height * sizeof (guint32));
 
     definition->draw_func (mask);