qtdemux: Make sure enough data is available before reading wave header node

Thanks to Antonio Morales for finding and reporting the issue. Fixes GHSL-2024-236 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
2024-12-18 22:36:33 +00:00 · 2024-09-26 14:17:02 +03:00 · 2024-09-26 14:17:02 +03:00 · c1cd838706
commit c1cd838706
parent 1d534ac209
1 changed files with 38 additions and 32 deletions
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@ -13704,6 +13704,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
        } else {
          guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16);
          const guint8 *data = stsd_entry_data + offset + 16;
+
+          if (len < datalen || len - datalen < offset + 16) {
+            GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode");
+          } else {
            GNode *wavenode;
            GNode *waveheadernode;

@ -13712,7 +13716,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
              const guint8 *waveheader;
              guint32 headerlen;

-            waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc);
+              waveheadernode =
+                  qtdemux_tree_get_child_by_type (wavenode, fourcc);
              if (waveheadernode) {
                waveheader = (const guint8 *) waveheadernode->data;
                headerlen = QT_UINT32 (waveheader);
@ -13733,8 +13738,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
                    gst_caps_unref (entry->caps);
                    /* FIXME: Need to do something with the channel reorder map */
                    entry->caps =
-                      gst_riff_create_audio_caps (header->format, NULL, header,
-                      extra, NULL, NULL, NULL);
+                        gst_riff_create_audio_caps (header->format, NULL,
+                        header, extra, NULL, NULL, NULL);

                    if (extra)
                      gst_buffer_unref (extra);
@ -13746,6 +13751,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
            }
            g_node_destroy (wavenode);
          }
+        }
      } else if (esds) {
        gst_qtdemux_handle_esds (qtdemux, stream, entry, esds,
            stream->stream_tags);