mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-11-26 19:51:11 +00:00
matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then results in allocating a very small buffer. Into that buffer blocksize data is memcpy'd later which then causes out of bound writes and can potentially lead to anything from crashes to remote code execution. Thanks to Adam Doupe for analyzing and reporting the issue. CVE: CVE-2022-1920 https://gstreamer.freedesktop.org/security/sa-2022-0004.html Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
This commit is contained in:
parent
14d306da6d
commit
cf887f1b8e
1 changed files with 9 additions and 1 deletions
|
@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
|||
} else {
|
||||
guint8 *outdata = NULL;
|
||||
gsize buf_size, size;
|
||||
guint32 block_samples, flags, crc, blocksize;
|
||||
guint32 block_samples, flags, crc;
|
||||
gsize blocksize;
|
||||
GstAdapter *adapter;
|
||||
|
||||
adapter = gst_adapter_new ();
|
||||
|
@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
|||
return GST_FLOW_ERROR;
|
||||
}
|
||||
|
||||
if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
|
||||
GST_ERROR_OBJECT (element, "Too big wavpack buffer");
|
||||
gst_buffer_unmap (*buf, &map);
|
||||
g_object_unref (adapter);
|
||||
return GST_FLOW_ERROR;
|
||||
}
|
||||
|
||||
g_assert (newbuf == NULL);
|
||||
|
||||
newbuf =
|
||||
|
|
Loading…
Reference in a new issue