mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-07-02 12:45:51 +00:00
Code Issues 1 Projects Releases Wiki Activity

matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code

Browse source 
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
results in allocating a very small buffer. Into that buffer blocksize
data is memcpy'd later which then causes out of bound writes and can
potentially lead to anything from crashes to remote code execution.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1920

https://gstreamer.freedesktop.org/security/sa-2022-0004.html

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
This commit is contained in:
Sebastian Dröge 2022-05-18 10:23:15 +03:00 committed by GStreamer Marge Bot
parent 14d306da6d
commit cf887f1b8e
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
View file

@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
} else {
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
guint32 block_samples, flags, crc;
gsize blocksize;
GstAdapter *adapter;
adapter = gst_adapter_new ();
@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
return GST_FLOW_ERROR;
}
if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
GST_ERROR_OBJECT (element, "Too big wavpack buffer");
gst_buffer_unmap (*buf, &map);
g_object_unref (adapter);
return GST_FLOW_ERROR;
}
g_assert (newbuf == NULL);
newbuf =