flacparse: fix buffer overflow in gst_flac_parse_frame_is_valid

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7261>
This commit is contained in:
Sergey Krivohatskiy 2024-05-13 11:08:15 +03:00 committed by Backport Bot
parent 627b0f1764
commit cff4135b04

View file

@ -652,13 +652,15 @@ static gboolean
gst_flac_parse_frame_is_valid (GstFlacParse * flacparse, gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
const guint8 * data, gsize size, guint * ret) const guint8 * data, gsize size, guint * ret)
{ {
guint max, remaining; guint max;
guint i, search_start, search_end; guint i, search_start, search_end;
FrameHeaderCheckReturn header_ret; FrameHeaderCheckReturn header_ret;
guint16 block_size; guint16 block_size;
gboolean suspect_start = FALSE, suspect_end = FALSE; gboolean suspect_start = FALSE, suspect_end = FALSE;
if (size < flacparse->min_framesize) /* minimum frame header size is 5 bytes and we read that much
* without checking the size below */
if (size < MAX (flacparse->min_framesize, 5))
goto need_more; goto need_more;
header_ret = header_ret =
@ -673,15 +675,14 @@ gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
/* mind unknown framesize */ /* mind unknown framesize */
search_start = MAX (2, flacparse->min_framesize); search_start = MAX (2, flacparse->min_framesize);
/* at minimum 5 bytes are read below so stop 5 bytes before the end.
* we also checked above that at least 5 bytes are available. */
search_end = size - 5;
if (flacparse->max_framesize) if (flacparse->max_framesize)
search_end = MIN (size, flacparse->max_framesize + 9 + 2); search_end = MIN (search_end, flacparse->max_framesize + 9 + 2);
else
search_end = size;
search_end -= 2;
remaining = size; for (i = search_start; i < search_end; i++) {
for (i = search_start; i < search_end; i++, remaining--) {
if ((GST_READ_UINT16_BE (data + i) & 0xfffe) != 0xfff8) if ((GST_READ_UINT16_BE (data + i) & 0xfffe) != 0xfff8)
continue; continue;
@ -690,7 +691,7 @@ gst_flac_parse_frame_is_valid (GstFlacParse * flacparse,
suspect_end = FALSE; suspect_end = FALSE;
header_ret = header_ret =
gst_flac_parse_frame_header_is_valid (flacparse, data + i, gst_flac_parse_frame_header_is_valid (flacparse, data + i,
remaining, FALSE, NULL, &suspect_end); size - i, FALSE, NULL, &suspect_end);
if (header_ret == FRAME_HEADER_VALID) { if (header_ret == FRAME_HEADER_VALID) {
if (flacparse->check_frame_checksums || suspect_start || suspect_end) { if (flacparse->check_frame_checksums || suspect_start || suspect_end) {
guint16 actual_crc = gst_flac_calculate_crc16 (data, i - 2); guint16 actual_crc = gst_flac_calculate_crc16 (data, i - 2);